8 - SUID & SGID - JA Smith

# `setuid` or SUID - The `Set User ID upon Execution` (`setuid`) permission can allow a user to execute a program or script with the permissions of another user, typically with elevated privileges - The `setuid` bit appears as an `s` in place of the `x` for the owner ![[images/Pasted image 20260203200550.png]] - To find SUID binaries issue the below `find` command ```bash find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null ``` - After finding SUID bins, it may be possible to reverse engineer the program with the SETUID bit set, identify a vulnerability, and exploit this to escalate our privileges - Many programs have additional features that can be leveraged to execute commands and, if the `setuid` bit is set on them, these can be used for our purpose # `setgid` or SGID - The `Set Group ID` (`setgid`) permission is another special permission that allows us to run binaries as if we were part of the group that created them - To find SUID binaries issue the below `find` command ```bash find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null ``` - These files can be leveraged in the same manner as `setuid` binaries to escalate privileges # Exploiting SGID & SGID - [GTFOBins](https://gtfobins.github.io/) includes a curated list of binaries and scripts that can be used by an attacker to bypass security restrictions - Each page details the program's features that can be used to break out of restricted shells, escalate privileges, spawn reverse shell connections, and transfer files - As one example, `apt-get` can be used to break out of restricted environments and spawn a shell by adding a Pre-Invoke command ```bash sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh # id uid=0(root) gid=0(root) groups=0(root) ``` --- # Exercise - `ping` test ![[images/Pasted image 20260203201454.png]] - `nmap` scans ![[images/Pasted image 20260203201525.png]]![[images/Pasted image 20260203201539.png]] - `ssh` into box with given creds `htb-student:Academy_LLPE!` ![[images/Pasted image 20260203201628.png]] - light enum ![[images/Pasted image 20260203201656.png]] - Locate SUID bins ![[images/Pasted image 20260203201729.png]] - Locate SGID bins ![[images/Pasted image 20260203201828.png]]