Skip to main content

SUID PrivEsc Python

SUID PrivEsc Python

Some files has Permissions to be executed by any user with full permissions so that means that you can execute a file and the file will execute as root.
So to escalate our privileges we need to search for the right SUID Permissions.

find / -type -f -user root -perm -4000 2>/dev/null

This will search for SUID permissions

find /                         -> search in all directories
-type -f                      -> search for a file
-user root                  -> for file with user root
-perm -4000              -> 4000 are the permissions for the SUID
2>/dev/null               -> removes any output which is not matching our criteria

image.png

In here we see that /usr/bin/python can be executed as root. Let's exploit that with GTFOBins.

https://gtfobins.github.io/gtfobins/python/

image.png

image.png


Path Variable Manipulation

SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues.

https://i.imgur.com/LN2uOCJ.png

image.png


To search the a system for these type of files run the following:

find / -perm -u=s -type f 2>/dev/null

Here we see where which “services” we are allowed to use with our account.

image.png

Sometimes it could be that for example “usr/bin/menu” command is displaying a menu where you can check some system information. As this file runs as the root users privileges, we can manipulate our path gain a root shell. Follow the example below.

https://i.imgur.com/OfMkDhW.png

No Comments
Back to top