Exploiting set SUID to gain privileges of that user.

My goal is to learn more about Linux Privilege Escalation.

Currently I’m trying to exploit a simple cron vulnerability. The cron (run by the target user) executes whatever .sh file in a certain directory and the directory is writable for my current user. Therefore I can create a .sh script in that directory which in essence creates another .sh script owned by the target user, chmod’s 4777 that script, and eventually spawns a shell (with the priviliges of the target user).

The code of the exploit .sh script inside the writable directory which is later run by the target user:

#!/bin/bash

touch /tmp/getShell.sh #probably unnecessary

cat exploitTemplate.sh > /tmp/getShell.sh

chmod 4777 /tmp/getShell.sh

The exploitTemplate.sh script has the following content (I have tried many variations, non work):

#!/bin/bash

/bin/bash -i

Everything works, the getShell.sh file gets created with 4777 priv. The problem is that I’m still the “old” user after running getShell.sh. In my understanding of the SUID bit, in this case, running the script as any user results in a shell with the privileges of the file owner, which is the target user.

I found a way to get a shell by using gcc and the usage of setresuid of the target user, but I would like to understand why the approach above does not work.

Thanks in advance.

I understand, following your hint I found some threads with a similiar problem regarding the usage of bash. I will read some more about nosuid now, I was not familiar with it before.

Thank you very much @sparkla, your answer helped me a lot!

Yes I will and I did.

I took a look inside /etc/fstab and found the nosuid protection set for the /tmp folder. Most of my tests which did not work inside /tmp worked fine in the target users home directory. I also noted that no protections were configured for /var/tmp, which enabled execution of suid files there aswell. So I’ll keep that in mind for the future. :slight_smile:

Thanks again man!