DEV Community

Florian J. Isopp
Florian J. Isopp

Posted on

Privilege Escalation with Path Variable Manipulation

This part is about playing with SUID and SGID bits on 'l' details for files.
says: When a command or script with SUID bit set is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it.

SUID Bit User executes the file with permissions of the file owner
SGID Bit User executes the file with the permission of the group owner


To search the a system for these type of files run the following: find / -perm -u=s -type f 2>/dev/null


in short:

*creating shell call for curl in tmp file
*because usr/bin/menu is run as root
*curl is found in menu file
*write /tmp path in PATH
*execute menu file
*pick option1 and run modified curl aka /bin/sh
*check for id root
*access flags


writing shell scripts:

additional credits

*this is a part of so the introduction and manual is their content. execution and guide-through is mine.

Discussion (0)