# Exploiting SUID Binaries ## Exploiting SUID Binaries * In addition to the three main file access permissions (read, write and execute), Linux also provides users with specialized permissions that can be utilized in specific situations. One of these access permissions is the SUID (Set Owner User ID) permission. * When applied, this permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary. * SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with “root” permissions. It is to be noted, however, that the provision of elevate privileges is limited to the execution of the script and does not translate to elevation of privileges, however, if improperly configured unprivileged users can exploit misconfigurations or vulnerabilities within the binary or script to obtain an elevated session. * This is the functionality that we will be attempting to exploit in order to elevate our privileges, however, the success of our attack will depend on the following factors: * Owner of the SUID binary – Given that we are attempting to elevate our privileges, we will only be exploiting SUID binaries that are owned by the “root” user or other privileged users. * Access permissions – We will require executable permissions in order to execute the SUID binary. ## Attack Flow for Exploiting SUID Binaries ### **1. Locate SUID Files** First, find files with the SUID permission set to gain elevated privileges: ```bash find / -perm -u=s -type f 2>/dev/null ``` This command searches the entire filesystem (`/`) for files (`-type f`) with the SUID bit set (`-perm -u=s`), ignoring error messages (`2>/dev/null`). ### **2. Identify File Type** Once you identify a file with SUID set, determine its type using the `file` command: ```bash file ``` Replace `` with the name of the SUID-enabled file. This command tells you whether the file is a binary, script, or another type. ### **3. Extract Strings from the Binary** Use the `strings` command to extract readable strings from the binary file: ```bash strings ``` This helps identify any readable content within the binary, such as file paths or function names. ### **4. Manipulate Referenced Files** If the `strings` command reveals references to other files being called by the SUID binary, you can manipulate the original file. For example, you can replace a referenced file with a malicious one like the Bash shell: ```bash cp /bin/bash ``` Replace `` with the path and name of the file being referenced by the SUID binary. ### **5. Execute the SUID Binary** When the manipulated SUID-enabled file is executed, it runs with elevated privileges. By substituting referenced files with malicious alternatives, you can potentially gain a root shell on the system. *** *** *** **`Hacker's Mantra:`**`No one messes around with a nerd’s computer and escapes unscathed. -`` `**`E`**`.A. Bucchianeri` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/system-host-based-attacks/linux-privilege-escalation/exploiting-suid-binaries.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.