# Linux Privilege Escalation with SUID

**Let’s Start with Theoretical Concept !!**

As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of the Linux users to whom you allow or restrict all three permissions. Take a look at the following image.

<figure><img src="https://i0.wp.com/3.bp.blogspot.com/-3On44xqaRWQ/WvxyU2oXLII/AAAAAAAAW3g/ms6yFU_xJ_E1WxrCTHJsZX7j53D1aJdVACLcBGAs/s1600/0.1.png?w=640" alt=""><figcaption></figcaption></figure>

Hence it is clear that the maximum number of bit is used to set permission for each user is **7**, which is a combination of read (**4**) write (**2**) and execute (**1**) operation. For example, if you set chmod 755, then it will look like as **rwxr-xr-x.**

But when special permission is given to each user it becomes **SUID, SGID, and sticky bits**. When extra bit **“4”** is set to user(Owner) it becomes **SUID** (Set user ID) and when bit **“2”** is set to group it becomes **SGID** (Set Group ID) and  if other users are allowed to create or delete any file inside a directory then **sticky bits** **“1”** is set to that directory.

<figure><img src="https://i0.wp.com/2.bp.blogspot.com/-V6G2dcR6rew/WvxyU3zB5NI/AAAAAAAAW3o/es8P06opgNwUg8gUPjzcLO29dgVYBOOpQCLcBGAs/s1600/0.2.png?w=640" alt=""><figcaption></figcaption></figure>

#### **What is SUID Permission?**

**SUID:** Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.&#x20;

**How to set suid?**

Basically, you can change the permission of any file either using the “Numerical” method or “Symbolic” method. As result, it will **replace x from s** as shown in the below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore **bit 4** or **symbol s** will be added before read/write/execution operation.

<figure><img src="https://i0.wp.com/4.bp.blogspot.com/-a6Pqx7k0g4o/WvxyU6zyHDI/AAAAAAAAW3k/5XoCsMKnS7o9OsnJL4BgMLF584zaJ2LrwCLcBGAs/s1600/0.3.png?w=640" alt=""><figcaption></figcaption></figure>

&#x20;

If you execute **ls -al** with the file name and then you observe the small ‘s’ symbol as in the above image, then its means SUID bit is enabled for that file and can be executed with root privileges.

#### **How to Find SUID Files**

By using the following command you can enumerate all binaries having SUID permissions:

```
find / -perm -u=s -type f 2>/dev/null
```

* **/**&#x64;enotes  start from the top (root) of the file system and find every directory
* **-perm** denotes search for the permissions that follow
* **-u=s** denotes look for files that are owned by the root user
* **-type** states the type of file we are looking for
* **f** denotes a regular file, not the directories or special files
* **2** denotes to the second file descriptor of the process, i.e. stderr (standard error)
* **>** means redirection
* **/dev/null** is a special filesystem object that throws away everything written into it.

GTFOBins link below we can see this can be used for privilege escalation on the base64 binary.

* **GTFOBins SUID:** <https://gtfobins.github.io/#+suid>

**Contoh Linux Privilege Escalation with SUID di Metaploitable 2**\
\
Running nmap on Metaspoitable IP, can see that 8180 port is open and running tomcat service on that.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*TUMXX6aRVaz0KB9vttvg1A.png" alt="" height="81" width="700"><figcaption></figcaption></figure>

Try opening the page on 8180 with url [http://metasploitableIP:8180](http://metasploitableip:8180/)

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*Ni7uUSDt_aQiyhELVTBUwA.png" alt="" height="352" width="700"><figcaption></figcaption></figure>

When you will click on any of the links in left panel, it will ask to login.

Now, we have an exploit in msf to get the login credentials:- auxiliary/scanner/http/tomcat\_mgr\_login

Use this exploit and set the options:-

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*CZRH3wJ2pomqQgu98coUHA.png" alt="" height="110" width="700"><figcaption></figcaption></figure>

Once done, it will try to get the login credentials and the output will be something like:-

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*isVzSPbw6VmH1gmLOaZvlA.png" alt="" height="26" width="700"><figcaption></figcaption></figure>

Use these credentials to login to the apache page.

And there you go!!

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*aeL6_lxhxL21rPIPx-mLsw.png" alt="" height="383" width="700"><figcaption></figcaption></figure>

Click on ‘List Applications’ under Manager tab, and you will see there are couple of options to upload the file.

Now we can try exploiting upload vulnerability on this one, either using the exploit available on msfconsole or creating an exploit using msfvenom.

We will see on how we can exploit this using exploit available on msfconsole.

Here we have an exploit which can be used for deploying the file on tomcat /manager directory.

Use use exploit/multi/http/tomcat\_mgr\_deploy and make sure to set the username and password too for manager along with other options, this will be the one we used to login.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*j0Pb4-lE2rZ__prkVFg8Ow.png" alt="" height="177" width="700"><figcaption></figcaption></figure>

Once you will run ‘exploit’, will get the meterpreter session:-

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*gZrwklOICyPfudrRw2roGg.png" alt="" height="146" width="700"><figcaption></figcaption></figure>

We have got the access to metasploitable but we are not root user yet.

<figure><img src="https://miro.medium.com/v2/resize:fit:1002/1*TUl_Roreu-P5-LleKww1Nw.png" alt="" height="138" width="668"><figcaption></figcaption></figure>

To get the root level access, we need to do privilege escalation. And to get that, we can try exploiting SUID set binary if any.

Let us search for that but for running the commands, lets get into the shell from meterpreter.

<figure><img src="https://miro.medium.com/v2/resize:fit:717/1*ijt1_j9YSgDwbMFZ20Furg.png" alt="" height="44" width="478"><figcaption></figcaption></figure>

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*X9tVm1jDjHPHPkwXU-7jYA.png" alt="" height="157" width="700"><figcaption></figcaption></figure>

Now lets search for any bin having SUID bit set.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*Vj_b2WkOovRCo2bUXZX5TA.png" alt="" height="544" width="700"><figcaption></figcaption></figure>

We have got lots of binaries with SUID bit set and I am gonna use nmap here to do the privilege escalation.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*BW6qM6saEnk5yB4_-AbZDQ.png" alt="" height="154" width="700"><figcaption></figcaption></figure>

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.anggipradana.com/tutorial/linux-privilege-escalation/linux-privilege-escalation-with-suid.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.