SUID and SGID exploits

Become root on Linux via SUID:

  1. List files that have SUID or SGID bits set

  2. Exploit

Example: nano

Crack passwords file

  1. List files that have SUID or SGID bits set:

find / -type f -perm -04000 -ls 2>/dev/null
  1. Compare these executables with GTFOBins SUID. The nano text editor has the SUID bit set

  2. Read /etc/passwd and /etc/shadow using nano.

  3. Copy contant to local passwd.txt resp shadow.txt files.

  4. Use the unshadow tool to create a file crackable by John the Ripper

unshadow passwd.txt shadow.txt > passwords.txt

Add a user

The other option would be to add a new user that has root privileges.

  1. Using the openssl tool, create a password hash for a new user:

openssl passwd -1 -salt <password>
  1. Add this password with a username to the /etc/passwd file. Use root:/bin/bash to give this user a root shell.

  2. Switch to this user.

Notes

SUID (Set-user Identification) and SGID (Set-group Identification) allow files to be executed with the permission level of the file owner or the group owner, respectively.

Such files have an s bit set showing their special permission level. To find binaries known to be exploitable when the SUID bit is set see GTFObins SUID.