During security assessments and TryHackMe or HackTheBox penetration testing sequences, local enumeration of binary permissions models represents a pivotal step. Once initial system foothold is achieved, identifying misconfigured SUID (Set Owner User ID) permissions stands out as one of the most reliable privilege escalation paths.
What is SUID?
In Unix-like systems, SUID is a special permission bit assigned to executable files. When a binary with the SUID bit active is run by a standard user, it inherits the access permissions of the binary's owner (often root), rather than the user launching it.
This capability is essential for system commands. For example, the passwd binary needs to modify /etc/shadow (a file restricted to root write permissions). By making passwd SUID root, standard users can safely update their credentials.
The Risk: Misconfigured Custom Binaries
Vulnerabilities crop up when administrators apply SUID configurations to custom utilities or general-purpose system tools (like compilers, text editors, or compression scripts) that permit arbitrary file reading, execution of secondary commands, or environmental variables overrides.
Step 1: Locating SUID Binaries
To find SUID executables across target directories, issue a recursive search utilizing system find instructions:
# Locating all SUID files owned by root, discarding stderr errors
find / -perm -4000 -user root -type f 2>/dev/null
Review outputs carefully, checking for custom configurations outside standard standard directories (e.g. /opt/ or /home/user/).
Step 2: Leveraging GTFOBins
If you uncover a standard system tool in the results list, cross-reference it against GTFOBins (a curated catalog of Unix binaries that can be abused to bypass system constraints).
Example A: Exploiting SUID find
If the find executable has SUID privileges active, an operator can execute system shell commands via the -exec parameter:
# Escape to elevated root prompt using find -exec
/usr/bin/find . -exec /bin/sh -p \; -quit
Example B: Exploiting SUID awk
If awk is misconfigured with SUID status, it can execute custom systems scripts securely with parent capabilities:
# Execute an interactive shell within the awk interpreter
/usr/bin/awk 'BEGIN {system("/bin/sh -p")}'
[!IMPORTANT] The
-pflag: Modern shells likebashorshdrop elevated privileges when they detect a mismatch between actual user IDs and effective user IDs. Appending-pensures the shell preserves the inherited root privilege stream.
Remediation & Hardening
- Audit SUID Permissions: Keep standard directories clear of custom SUID configurations. Only allow active bits on verified, secure system binaries.
- Remove Unnecessary SUID Bits: Strip SUID privileges using
chmod:chmod u-s /path/to/vulnerable_binary - Principle of Least Privilege: If scripts need privileged routines, leverage
sudowith granular, exact command configurations in/etc/sudoersrather than mapping wide SUID parameters.
Conclusion
SUID configurations require vigilant administrative monitoring. Securing your enterprise begins with continuous automated system audits. By scanning your directories and eliminating loose binary parameters, you verify that local access paths remain hardened against exploit models.