Scribd
Upload
62 views3 pages

Privilege Escalation Using SUID in Linux

This document discusses privilege escalation using SUID permissions. It explains that SUID allows users to execute files with the permissions of a specified user, running them with higher privileges. It provides the command to find files on the system with SUID permissions, and notes that privilege escalation takes place through a bash file with the 's' permission. The document states that in later steps privilege escalation will be removed.

Uploaded by

Swayam Mohapatra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
62 views3 pages

Privilege Escalation Using SUID in Linux

This document discusses privilege escalation using SUID permissions. It explains that SUID allows users to execute files with the permissions of a specified user, running them with higher privileges. It provides the command to find files on the system with SUID permissions, and notes that privilege escalation takes place through a bash file with the 's' permission. The document states that in later steps privilege escalation will be removed.

Uploaded by

Swayam Mohapatra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

19BCT0021

Swayam Shresth Mohapatra


CSE-3501 ISAA
L55+56

Privilege Escalation

In this Experiment, we will demonstrate Privilege Escalation using SUID.


SUID is Set User ID. This has to do with permission settings.

If we look at ls -la, we can see we have, RWX (Read, Write, Execute) and some have
Read, then a blank, and then execute permissions. These are the permissions, and
we can tell whether it is a directory or a file from the first initial. For example “d”
means it is a directory and if it is blank with a dash, it means it is a file.

If we try ls -la on /etc/shadow which Is something that is definitely owned by root.


We notice root has RW privileges on it, the group only has read permissions, and the
user does not have any permission on this folder.

There is the SUID permission, or the Set User ID which allows users to execute a file
with permissions of a specified user. Therefore, the file with SUID permissions run
with higher privileges. If we were to set-UID (SUID) permissions, we would be able to
see a “S” in the permissions as shown below.
To find this ‘s’ we will be using the command:
find / -perm -u=s -type f 2>/dev/null
The forward slash means that we will start from the top or the root of the file system.
-perm for permission
Then we state what permissions we are looking for: We want all files owned by the
root user and we are looking for that “s”.
Then we say what type we are looking for, so we say files (f).
And we throw this into the dev null which means that it will filter out the errors so
that they will not be output to your console.
2 represents the error descriptor, which is where errors are written to. By default
they are printed out on the console.
\> redirects output to the specified place, in this case /dev/null
/dev/null is the standard Linux device where you send output that you want ignored.
As, we can see the Previlege Escalation takes plcae in the bash file as the
permission has an ‘s’.
In the further step we remove the Privelege Escalation.

You might also like