Suid Privilege Escalation
Start course
1h 21m

In this course, we explore brute force attacks, hacking WordPress, changing users, and suid privilege escalation. We'll do this through a CTF (capture the flag) ethical hacking game called Mr. Robot.


Hi. Within this section, we're going to try and escalate our privilege to become root. Right now we are robot, and I' m just going to run you name a, okay, so we are on you Ubuntu and I'm just going to cat the etc issue here as well to see if we have any information over there, and as you can see, we don't have that information over here. But we know the Linux version over here, so we are in 3.13. on Ubuntu, so maybe there is a Kernel exploit over there, but I'm going to go for another direction. So, I'm just going to go for sudo-L like we have done before because we already know that it's worth a shot to see if we have anything like we can run like an administrator user. So, if we run sudo-L, it will ask us for the password of the robot and we know that, right?

So, let me come over here. We have taken a note for that, so note.txt and I'm just going to copy and paste the password and see if we can find something over here. So, I'm just going to paste it and hit 'Enter'. So, here we go. It doesn't work, so let me try and just run sudo-L. And nope, let me just paste this and hit 'Enter'. Maybe I'm copying it wrong. So, it says that three incorrect password attempts even though it's not right, we managed to log in here.  Yes, I believe we copied the wrong thing, so I'm going to do that one more time. Come over here and just copy this thing one more time and make sure you copy it right and come back and just run the same thing over here, and we cannot paste it. So, let me paste the clipboard. If I paste the clipboard, it works. So, I'm going to run sudo-L one more time and this time, I'm just going to paste the clipboard and hit 'Enter' and here you go. So, user robot may not run sudo on Linux, so we cannot even run sudo-L, but it doesn't mean that we going to get or we're not going to get to run anything as super administrator user, super user.

So, I'm going to run a find command over here, which will be a command that you're going to need for the rest of your life if you're going to be a pentester. And this is not the command, by the way. I hit 'Enter' by mistake on an accident, so I'm just going to show you one more time. So, if I run this like that, it will find the every file and folder over here on the server. We will see something like permission denies and we will see something like that the permission is available for us. So, we cannot find, we cannot actually go and take a look at those files and this is not going to do us good, but I'm going to show you the correct command. As you can see, we cannot even see the things over here, we cannot even see the whole list. So, I'm going to show you much better way to run that command, and this is not what I had intended to do in the first place as well. So, I'm going to run a find command again, but this time, I'm going to be very specific. So, I'm going to say find-, so I'm searching for the files inside of the whole server over here, not in the current directory. And we're going to find a command that has a specific permission set. And let me just show you the command from my notes over here.

So, this is the thing that we are looking for. So, we are trying to find binaries that have the suid bit set. So, we have seen this before in the bandit. So, this is actually going to give us the files that has been given for like has been given a special permission by administrator user, so that we can actually run this as if we are an administrator and this is supposed to be a temporary or maybe some like a bypass solution for the administrators. Okay.  But if it exists, if we can find something that is going to give us leverage of running this as an administrator and getting back a root shell, then we're going to use it. And again, this setuid thing is big and but by this time, I suggest you take a note of this command and I will show you another command in a second, take a note of that as well. But in the privilege escalation section, we're going to deep dive into this and understand the setuid logic and how it's done, what happens in the background as well.  Okay? So, just make sure that taken out of this and it will give us the files that we can actually run and these files belong to root user or some administrator user. And if this doesn't work, you can always run the command like this as well. So, this is finding the permissions and the output of this is going to go into the dev null which is nothing. So, it's going into the null.

Okay. So, null means empty, nothing, nada, void. Okay.  So, this is what we're going to do, make sure you copy this or just pause the video and write this on your own, and just write it over there. And I'm just going to hit 'Enter', and as you can see, right now this is much more shorter than what we have seen over here. As you can see, we only get a couple of things over there. So, these are the commands, these are the files, these are the binaries, okay, executables that we can execute and if we can make it work, if we can find a binary that will give us the leverage of becoming a root then it's going to be really good. Of course, there is a possibility that we get a lot of things over here, but none of them will serve the purpose of becoming root. But it's very short to see what things that we have here and try to find our way to become root. For example, right now, I can see that I can run the password command, user being password command.  Okay. Changing the password won't make me root. So, we have chain shell which is C-H-S-H, we have sudo, we have Nmap, which is weird and we're going to take a look at that and we have this thingy going on over here like ssh-keysign, VMware-user, suid-wrappers.

So, maybe we can take a look at those too, but ssh-keysign is just for signing a key. Maybe if it was ssh, then we could have done something with it, but this is only for signing key in order to create like I parameter thingy to log into the ssh servers. So, over here, we have the dmcrypt-get-device, I don't know what it does, but we have Nmap. And I believe, we can find something to do with the Nmap and it's very easy to search for the binaries and see if we can actually use them to become root. So, let me come over here and run Nmap help in my own terminal, in my own kali Linux and see if we can find something even remotely related to a privilege escalation. And of course, if we cannot find it over here, let me run this one more time with grepping the shell, for example. No, there is nothing over there. Let me run terminal. There is nothing over there. I'm trying to find something that will lead me to execute a command as root, as an administrator user.  Okay. I cannot find it. So, I'm just going to open the Firefox.  Okay. I'm going to close this down and I'm going to open the Firefox and I'm going to go to and I will just run this, search for this Nmap command, terminal, something like this. I want to run a command using Nmap. So, if we can do this then we can execute the command as if we are root, then we can get a shell back as a root.

So, let me find this. Let me try to find it. So, top 15 Nmap command. That's not the thing that we are looking for. Command line options, maybe. Let me come over here and just search for interactive shell something like this. Maybe this will give us more clue on this one. Yes, execute shell commands. That's exactly what I'm looking for. So, go for this GTFOBins. So GTFOBins, it can be used to break out from restricted environments by spawning an interactive shell. That is exactly what I'm looking for. Okay. So, all I have to do is just run Nmap Interactive and run !sh apparently. Let me try that. So, I'm going to run Nmap Interactive like this. So, we are inside of Nmap and I'm just going to run !sh. So, here we are. We are in an sh shell. Let me run, who am I? And here we are. We are root. That worked because it has a special permission, Nmap has a special permission, Nmap has a setuid suid permission has been given to us. It has been given to us, so we have to search for it, we have to look deep for it in order to find it as you can see. And this works in real life scenarios because it happens all the time. Administrators give suid access to regular users or some developer users all the time, so that if you can leverage that, then it's okay and you can even find it by googling it. It's no big deal.

So, let me just locate the tree. Let me just locate how should we run this. Let me run cd root. Here we go, key -3 of -3. So, let me just get key -3 of -3 over here and here you go, we got the final flag over there. So, that's great. As you can see, we managed to complete the CTF and again, if you got confused for this setuid thingy or if you got confused for finding alternatives like Kernel exploits or any other ways of exploiting or just finding some vulnerabilities to become root, then don't worry, as I said before, we're going to take a deep dive into that in a couple of sections. We're just going to have a section for Linux's privilege escalation and a section for Windows privilege escalation as well because they are very much different. But here, we took the advantage of setuids, suids and we found Nmap can be run as root and we executed some command using that leverage and here we are, we are root. Okay.  So, Mr. Robot is maybe intermediate thing. So, if you have a previous cybersecurity experience, I believe you understood everything that has been going on over there. So again, if you got confused at some point, don't worry, we're going to see how it works in the following sections. Now, we're going to stop here and don't forget to take a note of that Nmap interactive thing as well. It may come in handy in the following sections or in your real life examples as well. So, we're going to stop here and continue within the next section together.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.