Tag: linux privilege escalation

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about various methods of Linux privilege escalation. In this article, you will learn in detail how to elevate privileges on Linux using SUID binaries.

What is SUID?

SUID is a shortcut for Set User ID. This is a special permission that can be assigned to Linux executables. When a SUID permission is assigned to a executable or binary, it runs with the privileges of the file’s owner when executed, rather than the user who executed it. For example, when a user with root privileges assigns SUID permission to a Linux binary and a user with low privileges executes that binary, it runs with root privileges and not with privileges of that user with low privileges.

This can be exploited to gain a root shell or perform actions with root privileges on the target Linux system. With the concept of SUID understood, let’s see how binaries with this bit set can be found. One way to find them is by using find command as shown below.

find / -perm -u=s -type f 2>/dev/null

Here are some examples of gaining root privileges by exploiting Linux binaries with SUID bit set.

1. bash

2. csh

3. env

4. nice

5. node

6. setarch

7. stdbuf

8. strace

9. taskset

10. tclsh

11. time

12. timeout

13. unshared

14. xargs

15. php

16. expect

17. find

18. python

19. flock

20. gdb

21. ionice

22. logsave

23. make

These are some examples of Linux privilege escalation by exploiting SETUID bit. Next, learn how to elevate privileges on a Linux system using cron jobs.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about Linux privilege escalation. In this article, you will learn how to exploit cron jobs in Linux to elevate privileges on a Linux system.

What are cron jobs?

Cron is a job scheduler in Unix like operating systems like Linux and macOS. It allows users to schedule commands or scripts to run automatically at specific intervals or at fixed times and dates. These scheduled tasks are called as “cron jobs”. 

They are similar to Task Scheduler in Windows. For example, you have a Linux server and want to clean cache regularly once a day. You can do this manually everyday or schedule a job to do this daily without your intervention. Here’s where cron jobs assist you. You can assign a job in cron. Sometimes these jobs are assigned with root privileges and these can be exploited to gain root privileges. Let’s see it practically.

For this article, we will be using a Linux target system on which we already gained a shell. Then I run the PE.sh or Linux exploit suggester script on this system to find ways to elevate privileges. As I scroll down the output of our PE.sh file, we can see our target has some cron jobs set.

As you can see in the above images, we can set cron jobs monthly, daily or hourly. But our job here is to not schedule cron jobs. It is to exploit them. As we scroll down further, we can see the format of a cron job.

In the above image, you can see the exact format of a cron job. It is minutes first, followed by hours, day of month, month and day of week. We can see a cron job named /opt/new_year.sh that is scheduled to run at the 00:00 time of first day of the first month of every year. That is the occasion of New Year.

But what does * * * * * mean? It means these cron jobs are scheduled to run every minute of every hour of every day of the week (i.e daily) every month. That typically means these jobs run each and every minute. The important thing to notice here is that all these jobs are running as user “root”.

Let’s manipulate one of these scripts. Let’s say /opt/my_script.sh. We have a SETUID bit set on “dash” shell, one of the shells installed on the target system. This can be seen in the image below.

For this article, we will remove the SETUID bit set on the binary using cron jobs. Let’s edit the my_script.sh file with a command given below.

chmod u-s /bin/dash 

What this command does is, it will remove the SETUID bit set on the binary. Wait for one minute and check the /bin/dash command.

As you can see in the above image, the SETUID bit on the binary is now gone. Not just that, we can add new users on the target system using cron hobs as shown below.

That’s how cron jobs can be exploited for linux privilege escalation. Next, learn how to exploit SETUID bits to elevate privileges on a Linux system.