Linux Privilege Escalation
The course is part of this learning path
This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!
Hi. Within this lecture, we're going to see what is an SUID. So far, we have been working with the SUIDs and we have leveraged that permission in order to gain a privilege escalation or escalated privilege in the previous CTFs that we have solved during this course. But as I said before, we're going to see in much more detail right now. So, I said, don't worry about this, we're going to see what it is later on, and we're going to deep dive in the privilege escalation section. So, the time comes, okay? Now we're going to see it. So, I'm going to search for SUID in Google. And you can just select any of the tutorials over here, and you don't have to do that by now, I'm just showing you a tutorial so that you can see that you can find it anywhere in the internet. So, as you can see, Set owner User ID or SUID. So, it stands for Set owner User ID, is a special type of file permissions given to a file. So, it's basically this special type of file permission. So, and normally when a Linux program runs, it inherits access permissions from the logged in user. So, SUID is defined as giving temporary permissions to a user to run a program with the permissions of the file owner. So, what does this mean? When you create a file or when you just put on a binary or some kind of executable, you can choose who gets to write it, who gets to read it, and who gets to execute it in Linux. So, of course, if you're root, you can just read, write or execute anything you want in the system. You can just give the special type of permission to yourselves, or you can make it available to a single group, or you can make it available to a single user as well. Right now, we're going to see how it works. So, my IP address is this and I'm going to ssh into it. Of course, during this course recordings, I have to close this down and open it one more time. So, that's the case. I'm going to log in as usual. And I'm going to clear this up. So, here you go. Right now, I believe we are in the file permissions which is task 13 over here, but you don't have to follow it from there, it's just there for note taking reasons. So, if I run ls - la, I can see a lot of information which is very valuable to us I think, because we can see whether it's a directory or file over here. So, d stands for the directory, and if you see a dash, it's file. So over here, we can see the permissions. So the last part, this is the highlighted part over here, stands for the user and the first one is the owner. And the second one, second third bit is the group. So, owner, group, and the user. So over here, we see who created that file or who does that file belong to. So, this file belongs to root. As you can see this directory, I mean belongs to root and we can see all of those things in ls -la. So, this stands for read, write, execute. So, this is a directory, this is a file. So, this file is created by user and user has given read write permissions, not execute permissions for bash history. Of course, it doesn't make sense to give execute permissions for a single file like that. But again, in this case, for example, we see it has the read, write, execute, "x" stands for execute over here. So, the group user group can read but not write but also execute. And the old users over here can read, not write, but execute over here. So, we can specify which user can do something with a file, like if it can read it, if it can write it or if it can execute it. For example, maybe you have seen this before, you can run chmod +x in order to make a file executable. So, that you can just write chmod +s in order to give a SUID permission. So over here, we don't see any SUIDs right now, but I'm going to show, you don't worry about it. If we see an S over there in the permissions settings, then it means that an SUID permission is given to us. So, this may lead us to execute a file or just do something with a file with a root privilege or with an administrator privilege so that we can take leverage of that. So, I'm going to find some files over here and we have seen this comment before. I'm going to search for file types and for the permissions. I'm going to search for 04000. I'm going to go for ls over here and I'm going to write the output in dev/null. You have seen this comment before but I actually recommend to take note of this because you will actually need this in real pentests as well. So, over here we see the S, because these are the SUIDs. So, S stands for the SUID permission. So, this is a special temporary permission that has been given to us. So, what does it mean? We get to use those binaries and it happens so that a lot of these files are actually binaries, and SUIDs are given generally to binaries. Not necessarily but it doesn't make sense to give some kind of a text or string file an SUID permission. And over here, we have a lot of executables like chain shell, sudo, sudoedit, passwd, and so many others as well. So, having this permission isn't a vulnerability isn't a necessarily vulnerability. But over here, we have a suid-so, this is a shared object and this is obviously put over here for some CTF purposes. So, maybe we can just leverage this and escalate our privilege. We're going to see how it works, but over here, what is important is that you run this comment and you see what kind of permissions do you have for SUIDs and you take a look at every executable that you see, if you find one that belongs to root, and in this case it belongs to root for every possible scenario over here and try to find a way to escalate your privilege. So, it doesn't necessarily mean that you're going to escalate your privilege using chain shell, for example, but maybe it will be possible by using any of these like the suid-so over here. So, you now know what is an SUID and how to search for it. And now, we're going to see how to actually become root using the vulnerable binaries over here. So, in this case, it belongs to root as you can see. And for the group, we have the stuff over here, I don't know what it means. So, we're going to see if we can actually take leverage of that. So, this is again one of the most important comments that you should take note of. If you see something like this in the CTF or a pentest, that's the way that you should go. So, I'm going to stop here and continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.