Recently during a CTF I establish a few users were unfamiliar alongside abusing setuid on executable on Linux systems for the purposes of privilege escalation. If an executable file on Linux has the “suid” combat develop when a user executes a file it volition execute alongside the owners permission marking too non the executors permission level. Meaning if y'all uncovering a file alongside this combat set, which is owned yesteryear a user alongside a higher privilege marking than yourself y'all may last able to bag their permissions set.
On the CTF ane squad had successfully gained ascendance execution on a spider web server. This gave them the following:
Here the user has a vanquish on the spider web server running a depression privilege user, all the same they tin sack expect for files alongside the suid combat set, alongside the uncovering command, similar this:
At this indicate I wanted to expect for things inwards the listing that were potentially unusual, too thus I took a expect at my local Fedora installation too compared the 2 lists – this gave 2 ways to potentially arrive at privileges, the showtime was to abuse nmap too the mo was to abuse the uncovering command. An example of doing this tin sack last establish below:
Here I’ve created the foo file using the affect command, this is simply a blank file equally the -exec parameter of the uncovering ascendance volition execute the given ascendance for every file that it finds, too thus yesteryear using “find foo” I ensure they solely execute once. Here nosotros tin sack encounter the whoami ascendance executed equally root.
Pew pew!
In the existent discussion the final pace depends on what the vulnerable ascendance is, all the same whatsoever ascendance execution characteristic (such equally nmap –interactive or uncovering -exec) tin sack last abused, but also software weaknesses such equally buffer overflows tin sack last abused for privilege escalation.
On the CTF ane squad had successfully gained ascendance execution on a spider web server. This gave them the following:
Here the user has a vanquish on the spider web server running a depression privilege user, all the same they tin sack expect for files alongside the suid combat set, alongside the uncovering command, similar this:
find / -user rootage -perm -4000 -exec ls -ldb {} \; At this indicate I wanted to expect for things inwards the listing that were potentially unusual, too thus I took a expect at my local Fedora installation too compared the 2 lists – this gave 2 ways to potentially arrive at privileges, the showtime was to abuse nmap too the mo was to abuse the uncovering command. An example of doing this tin sack last establish below:
touch foo uncovering foo -exec whoami \;
Here I’ve created the foo file using the affect command, this is simply a blank file equally the -exec parameter of the uncovering ascendance volition execute the given ascendance for every file that it finds, too thus yesteryear using “find foo” I ensure they solely execute once. Here nosotros tin sack encounter the whoami ascendance executed equally root.
Pew pew!
In the existent discussion the final pace depends on what the vulnerable ascendance is, all the same whatsoever ascendance execution characteristic (such equally nmap –interactive or uncovering -exec) tin sack last abused, but also software weaknesses such equally buffer overflows tin sack last abused for privilege escalation.
