handbook/tools/5.Machine/1.Linux/General/Exploitation/1.Privilege-Escalation/2.SUID-Sudo-Right-Abuse.md
2024-08-31 01:07:22 +02:00

6.7 KiB

General

SUID (Set User ID) is a Unix permission that allows a user to execute a program with the privileges of the owner of the file. This can be useful in certain situations, such as when a user needs to perform a task that requires elevated privileges. However, SUID can also be a vulnerability if an attacker is able to exploit it to gain unauthorized access to a system or network. One way an attacker might exploit SUID is by modifying a SUID-enabled program to include malicious code. When the program is executed, the malicious code will run with the privileges of the owner of the file, allowing the attacker to potentially gain access to sensitive information or execute arbitrary commands.

Sudo privileges can be granted to an account, permitting the account to run certain commands in the context of the root (or another account) without having to change users or grant excessive privileges. It is easy to misconfigure this. For example, a user may be granted root-level permissions without requiring a password. Or the permitted command line might be specified too loosely, allowing us to run a program in an unintended way, resulting is privilege escalation. For example, if the sudoers file is edited to grant a user the right to run a command such as tcpdump per the following entry in the sudoers file: (ALL) NOPASSWD: /usr/sbin/tcpdump an attacker could leverage this to take advantage of a the postrotate-command option.

SUDO Commands

The sudo command, by default, allows you to run a program with root privileges. Under some conditions, system administrators may need to give regular users some flexibility on their privileges. For example, a junior SOC analyst may need to use Nmap regularly but would not be cleared for full root access. In this situation, the system administrator can allow this user to only run Nmap with root privileges while keeping its regular privilege level throughout the rest of the system.

Check SUDO permision

sudo -l

SUID Commands

The first step in Linux privilege escalation exploitation is to check for files with the SUID/GUID bit set. This means that the file or files can be run with the permissions of the file(s) owner/group. In this case, as the super-user. We can leverage this to get a shell with these privileges!

  • What is an SUID binary?

    As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of the Linux users to whom you allow or restrict all three permissions. Take a look at the following demonstration of how maximum privileges (rwx-rwx-rwx) look:

    r = read
    w = write
    x = execute
    

        user     group     others
         rwx        rwx        rwx
         421       421        421

    The maximum number of bit that can be used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set permissions using "chmod" as 755, then it will be: rwxr-xr-x.

    But when special permission is given to each user it becomes SUID or SGID. When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set to group it becomes SGID (Set Group ID).

    Therefore, the permissions to look for when looking for SUID is:

    SUID:
    - rws-rwx-rwx
    
    GUID:
    - rwx-rws-rwx
    

Commands (Manual or use • LinEnum)

find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
  • find  ---> Initiates the "find" command
  • / ---> Searches the whole file system
  • -perm ---> Searches for files with specific permissions
  • -u=s ---> Any of the permission bits mode are set for the file. Symbolic modes are accepted in this form
  • -type f ---> Only search for files
  • 2>/dev/null ---> Suppresses errors

These allow files to be executed with the permission level of the file owner or the group owner, respectively

We can also use getcap to list all the permission of the services that run on the machine.

getcap -r / 2>/dev/null

From the getcap research, check if you can elevate your privilege from the SUID

https://gtfobins.github.io

Setuid Bit & Setgid Bit

In the Linux operating system, the setuid bit and setgid bit are special flags that can be set on executable files to enable certain privileges or permissions.

The setuid bit (short for "set user ID") is a flag that can be set on an executable file to enable it to run with the permissions of the file's owner rather than the permissions of the user who is executing the file. This can be useful for allowing users to execute certain privileged commands or access certain resources that they would not normally have access to.

The setgid bit (short for "set group ID") is a similar flag that can be set on an executable file to enable it to run with the permissions of the file's group rather than the permissions of the user who is executing the file. This can be useful for allowing users to execute certain commands or access certain resources that are shared among a group of users.

Both the setuid bit and setgid bit can be useful for allowing users to perform certain actions that require special privileges or permissions. However, they can also be misused or exploited by attackers to gain unauthorized access to sensitive data or systems, so it is important to use them carefully and to properly secure any executables that have these flags set.

Look for programs with the setuid bit set

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
  • It may be possible to reverse engineer the program with the SETUID bit set, identify a vulnerability, and exploit this to escalate our privileges. Many programs have additional features that can be leveraged to execute commands and, if the setuid bit is set on them, these can be used for our purpose.

Look for programs with the setgid bit set

find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null
  • The Set-Group-ID (setgid) permission is another special permission that allows us to run binaries as if we were part of the group that created them.
  • These files can be leveraged in the same manner as setuid binaries to escalate privileges.

Check on google if you can exploit it or on https://gtfobins.github.io