PRIMARY CATEGORY → LINUX PRIVESC
Enumeration
Special Permissions
SETUID
This type of permission allows a user to run the given binary with the permissions of another user i.e. the effective user will be the owner whereas the real user will be the current user
find / -perm -4000 -type f -ls 2> /dev/nullSETGID
On the other hand, when a binary with this permission enabled is executed, the resultant process will run with the permissions of the owning group
find / -perm -6000 -type f -ls 2> /dev/nullSudo Permissions
This type of privilege allow a given user to run certain commands in the context of ROOT or another privileged account without having to change users or grant excessive rights
The command below will always check the
/etc/sudoersfile
sudo -lSometimes the system will ask for the current user password before running the previous command
That happens if the NOPASSWD tag is not specified in any of the existing entries related to the user in question within the /etc/sudoers file
So, it is always a good safety measure not to add the NOPASSWD tag to any sudoers entry
In addition, a system administrator should always specify the absolute path of the given binary. Otherwise, an attacker may be able to leverage PATH abuse to create a malicious binary that will be executed when the commands runs
Abuse
GTFOBins
Many programs have additional features that an operator could leverage to run commands
So, once we find out a binary which has any of the previous special permissions enabled or the current user can run a certain command with sudo privileges, we should check if the binary has any feature that we can leverage to carry out certain actions, such as
- Break out Restricted Shells
- Escalate Privileges
- Spawn a Reverse Shell connection
- Transfer files
Resources
How to use Special Permissions: SETUID, SETGID and Sticky Bit