🛸SUID
SUID Privilege Escalation
SUID (Set User ID) is a special permission in Unix-like operating systems that allows users to execute a program with the permissions of its owner. When a binary has the SUID bit set, it runs with the privileges of the binary's owner, often allowing users to perform actions they wouldn't normally be able to do.
Understanding SUID
The SUID permission is represented by the numeric value 4 in the permission field of a file. When an executable file has the SUID bit set, it runs with the effective user ID (EUID) of the file's owner.
In the example above, /usr/bin/passwd
has the SUID bit set. The 's' in the owner's execute permission (-rwsr-xr-x
) indicates the SUID bit.
Exploiting SUID for Privilege Escalation
1. Identifying SUID Binaries
This command lists all files on the system with the SUID bit set. Pay attention to binaries owned by root, as they may provide an opportunity for privilege escalation.
2. Checking Vulnerabilities
Some SUID binaries may have vulnerabilities or misconfigurations that can be exploited. Commonly misconfigured binaries include editors, interpreters, and custom scripts.
These commands help analyze the behavior of the binary, providing insights into its functionality and potential vulnerabilities.
Once you found all the files that have the sticky bytes, compare it to the gtfobins database to see which one are vulnerable to known exploits:
3. Exploiting Vulnerabilities
Example: Exploiting passwd
In this example, a writable /tmp/passwd
file is created, and the PATH
environment variable is manipulated to make /usr/bin/passwd
use the local directory for executable files. This allows an attacker to change the root user's password without knowing the current password.
4. Using Scripts and Tools
Several tools and scripts automate the process of identifying and exploiting SUID binaries. Examples include GTFOBins and LinEnum.
Shared Object Injection
Shared Object Injection is a technique where an attacker exploits the dynamic linking functionality in Unix-based systems to load and execute malicious shared objects (shared libraries). By manipulating the loading process of shared objects, an attacker can achieve privilege escalation and execute arbitrary code with elevated permissions.
Understanding Shared Objects
Shared objects, also known as shared libraries, are files containing compiled code and data that multiple programs can use simultaneously. These libraries are loaded at runtime and linked dynamically to the executing process.
Identifying Shared Objects
Shared objects typically have file extensions like .so
on Linux systems. They can be found in directories such as /lib
, /lib64
, /usr/lib
, and others.
Exploiting Shared Object Injection
1. Identifying Vulnerable Programs
Look for programs that load shared objects without specifying the full path. These programs are susceptible to shared object injection.
2. Creating a Malicious Shared Object
Write a shared object with malicious code. For example, create a file named malicious.so
with the following:
Compile it:
3. Exploiting the Vulnerability
Place the malicious shared object in a directory that is part of the target binary's library search path.
Real world test:
we know which file to attack in this example:
We are curious to know what this file does:
What we hunt for are those "No such file or directory" error messages and write down what file it's trying to access. We can grep on this:
Our goal is to overwrite a file that is being called but does not exist, such as libcalc.so and inject malicious code in those files
Last updated