Series of CTF machines Walkthrough #7 Linux Privilege Escalation using SUID permissions.
Hello Hackers, In this blog we are going to learn how to escalate the privileges by exploiting the SUID bit permissions which are set to the files and programs, In the last blog we learnt about “SUDO exploitation”, so make sure to read the previous blog.
For this blog, I’m using the vulnerable machine from TryHackMe called “Linux Privilege Escalation”.
We already have the SSH credentials from TryHackMe, lets use those credentials and login to SSH via terminal.
What is SUID permissions?
SUID (Set-User Identification) is the special permission which is set to the files and programs, if the file or program has set a SUID permission it will run as the owner of the file.
To find the SUID permission files or programs in linux, you can use the “find / -type f -perm -4000 -ls 2>/dev/null” command.
You can see in the above image many files and programs set as a SUID permissions.
Now use the “gtfobins” to exploit for the miss-configured SUID set permissions and elevate privileges.
After researching “/base64” program is vulnerable to SUID bit permissions so open the “gtfobins” and paste the base64 and click on the suid and you can see the above commnads now paste the commands as shown below in the image.
As you can see in the above image, at first we are not able to see the content on the ‘flag3.txt” file after using the commands from the gtfobins we are able to see the content.
By using this method you can see the content from the “/etc/shadow” file and also you can bruteforce the hash using ‘JohntheRipper’.
The next write up will be on “Capabilities”.