DEV Community

Florian J. Isopp
Florian J. Isopp

Posted on

Privilege Escalation with Path Variable Manipulation

This part is about playing with SUID and SGID bits on 'l' details for files.
https://www.thegeekdiary.com/what-is-suid-sgid-and-sticky-bit/
says: When a command or script with SUID bit set is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it.

SUID Bit User executes the file with permissions of the file owner
SGID Bit User executes the file with the permission of the group owner

image

To search the a system for these type of files run the following: find / -perm -u=s -type f 2>/dev/null

image

in short:

*creating shell call for curl in tmp file
*because usr/bin/menu is run as root
*curl is found in menu file
*write /tmp path in PATH
*execute menu file
*pick option1 and run modified curl aka /bin/sh
*check for id root
*access flags

MISC

writing shell scripts:
https://linuxcommand.org/lc3_wss0010.php

additional credits
https://clarencesubia.medium.com/tryhackme-kenobi-walkthrough-6cd316fd9c3c

*this is a part of tryhackme.com so the introduction and manual is their content. execution and guide-through is mine.

Top comments (0)