SUID privilege escalation

Table of contents

1. Principle

2. Rights escalation steps

1.Information collection

(1) User permission collection (whoami&id)

(2) SUID permission file collection (find / -user root -perm -4000 -exec ls -ldb {} \;)

2. Elevate privileges

(1) Directory switching (cd /tmp)

(2) Arbitrary file creation (touch file name)

(3) Specific SUID privilege escalation (find/nmap/bash, etc. file name-exec whoami \;)

3. Summary

1. Principle

SUID is a special permission set for a binary program. It allows the executor of the binary program to temporarily have the permissions of the owner. If SUID is set for some special commands, there will be a risk of privilege escalation. Commonly used SUID permissions are Common commands include nmap, vim, find, bash, more, less, nano and cp, etc.

When s appears in the file owner’s x permissions, it is called “Set UID”, or SUID for short. The restrictions and functions of SUID on a file include the following points:

(1) SUID is only valid for binary

(2) The executor needs to have x executable permissions for the program

(3) This permission is only valid during the execution of the program

(4) The executor has the permissions of the program owner (user). The SUID is 4 in octal, SGID is 2, and SBIT is 1. The digit before the ordinary permissions, such as 4777, is actually rws-rwx-rwx, which has SUID permissions. The file owner X becomes S.

Summary of the principles of SUID privilege escalation:

Check the current user with suid authority, and then use the command of the user with suid authority to execute the command we want to execute.
In short, it is to find parameters with specific suid permissions, and then use their parameters to call privilege escalation commands.

2. Rights escalation steps

1.Information collection

(1) User permission collection (whoami&id)

Execute whoami, id and other commands to determine that user mark is an ordinary user and its UID is 1000 (UID greater than 499 and less than 65535 is an ordinary user)

(2) SUID permission file collection (find / -user root -perm -4000 -exec ls -ldb {} \;)

Find files with SUID permissions.

Execute the command find / -user root -perm -4000 -exec ls -ldb {} \;, use find to find files with SUID permissions (SUID is 4 in octal notation) and use the ls command to list them

Command parsing

exec explanation

The -exec parameter is followed by the command command, and its termination is marked with;, so the semicolon after this command is indispensable. Considering that the semicolon has different meanings in each system, so add it in front Backslash.

The {} curly brackets represent the file name found by the previous find. When using find, as long as you write the desired operation in a file, you can use exec to cooperate with find, which is very convenient. In some operating systems, only the -exec option is allowed to execute commands such as ls or ls -l. If you verify the find command, you will find that the command only outputs the relative path and file name from the current path.

2. Elevate privileges

(1) Directory switching (cd /tmp)

The owner and group of the find file are both root users. You can use the find command to execute other system commands. Therefore, you can use the find command to run whoami to view the current user.
Execute the command cd /tmp to switch directories.

(2) Arbitrary file creation (touch file name)

To create any file, execute the command touch1 here to create file 1.

(3) Specific SUID privilege escalation (find/nmap/bash, etc. file name-exec whoami \;)

Execute the command find 1 -exec whoami \;, use the find command to find the file named 1, and execute the whoami command. As shown in the figure, the current user is root, thus the privilege elevation is successful.

3. Summary

1. Utilize specific SUID parameters. Use tools/manual detection to see if the parameters are given SUID permissions.
Nmap, Vim, find, Bash, More, Less, Nano, cp, etc
2. After finding it, use touch to create a user in its tmp directory and then use the specific suid parameter to execute the privilege escalation command.

Related Posts

Download and installation of CentOS8

web security-SSTI template injection vulnerability

Metaverse Game Development Company What Metaverse game development prices does Metaverse Game Development Company have?

Shenzhou Loongson GSC3290 adapted to Yutai YT8521S operating instructions

Java API to operate HBase

What are the network security related certificates?

Ubuntu changes apt source to Alibaba Cloud source

Network security/penetration testing tool AWVS14.9 download/usage tutorial/installation tutorial

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*