19BCT0021

Swayam Shresth Mohapatra

CSE-3501 ISAA
L55+56

Privilege Escalation

In this Experiment, we will demonstrate Privilege Escalation using SUID.

SUID is Set User ID. This has to do with permission settings.

If we look at ls -la, we can see we have, RWX (Read, Write, Execute) and some have
Read, then a blank, and then execute permissions. These are the permissions, and
we can tell whether it is a directory or a file from the first initial. For example “d”
means it is a directory and if it is blank with a dash, it means it is a file.

If we try ls -la on /etc/shadow which Is something that is definitely owned by root.

We notice root has RW privileges on it, the group only has read permissions, and the
user does not have any permission on this folder.

There is the SUID permission, or the Set User ID which allows users to execute a file
with permissions of a specified user. Therefore, the file with SUID permissions run
with higher privileges. If we were to set-UID (SUID) permissions, we would be able to
see a “S” in the permissions as shown below.
To find this ‘s’ we will be using the command:
find / -perm -u=s -type f 2>/dev/null
The forward slash means that we will start from the top or the root of the file system.
-perm for permission
Then we state what permissions we are looking for: We want all files owned by the
root user and we are looking for that “s”.
Then we say what type we are looking for, so we say files (f).
And we throw this into the dev null which means that it will filter out the errors so
that they will not be output to your console.
2 represents the error descriptor, which is where errors are written to. By default
they are printed out on the console.
\> redirects output to the specified place, in this case /dev/null
/dev/null is the standard Linux device where you send output that you want ignored.
As, we can see the Previlege Escalation takes plcae in the bash file as the
permission has an ‘s’.
In the further step we remove the Privelege Escalation.