Search

SUID (Set User ID)

Allows you to execute a file using a specific user ID

It’s in the permission settings.

How to find

background info:

ls -la
image

drwxr-xr-x

first d or - means directory or file

the 3 after are read write execute of the owner

next 3 are read write execute of the group

last 3 are read write execute of everyone else

the file owner in this screenshot is TCM

-rw———-

means file with read and write from owner only

what are perms for /etc/shadow:

ls -la /etc/shadow
image

file, owned by root

read and write for root, group of root, and read only for everyone else (everyone should not have read access to it)

what can we do with this in SUID?

We wanted to make a certain file executable. We can do

chmod +x filename

or “for everything, I want read, write, execute”:

chmod 777 filename

reference for why 7: https://www.notion.so/Users-and-Privileges-7cd2b25ab18b4f2ba521b01942d36d33?pvs=4#a6ede42b72a44794a9c58c5c411687ac but to explain quick:

4 = read

2 = write

1 = execute

so 6 is 4+2 which means read and write privilege.

7 is 4+2+1 which means all 3 privileges.

For SUID, you would see s after the W in the first group like:

-rwsrw-r--

s in other spots?

If s in the 2nd group, that would be “Set Group ID” SGID:

-rw-rwsr--

there can’t be an s at the very end, instead, that’s usually a T instead:

-rw-rw-rwt

This is known as a sticky bit

image

*ignore GUID, it’s called SGID as mentioned before

how to hunt for these SUID files:

find / -perm -u=s -type f 2>/dev/null

find files with permissions:

-u=s: user is root

-type f: it’s a file 2>/dev/null: this goes into the abyss

some of the results are standard (you’ll know with practice but later you can know how to check with GTFOBins):

but two interesting ones are highlighted:

/usr/bin/chsh
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/sudoedit
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn
/usr/local/bin/suid-so
/usr/local/bin/suid-env
/usr/local/bin/suid-env2
/usr/sbin/exim-4.84-3
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/bin/ping6
/bin/ping
/bin/mount
/bin/su
/bin/umount
/sbin/mount.nfs

Check a certain file:

ls -la /usr/bin/chfn

once you see the s, go to gtfobins.github.io and click SUID at the top to get all privesc using SUID available

and compare original list with the SUID list they have.

Challenge time:

Vulnversity