tl;dr
This is a rumination about habits and cybersecurity. Overlooking permission misconfigurations during pentesting, red teaming, or CTFs can be costly. Jumping into the rabbit hole of kernel exploits, pillaging or whatever time consuming attacks you fancy can potentially be avoided if one simply performs a careful assessment of the more immediate and actionable checks such as looking for any misconfigured file permissions first before other vectors to privilege escalation.
SUID 101
In a nutshell, the Set User ID (SUID) bit is a file permission in Linux that allows a user to run a file as the owner. For example, when the owner of the binary is root and alice runs the binary, it runs as though it’s executed by the root user — not by alice.
A file with the SUID bit set will have the character s under the execute position, as shown in the following example:
-rwsr-xr-x 1 root root 67K Apr 9 08:34 /usr/bin/find
What’s the implication?
Consider the low-privileged user alice, who has limited control of the machine. alice finds that /usr/bin/find has the SUID bit set. What can alice do then?
alice simply needs to run the following:
find / -exec /bin/sh \; -quit
This command runs a shell as root. With the root shell, the user has full control of the machine. If alice is a malicious actor or is controlled by a malicious actor, the entire machine can be fully compromised because of the SUID bit set on /usr/bin/find.
Habits to build
One of the recent boxes at Hack The Box proved to be tricky, with one user saying, “I spent 2 hours to root,” and another claiming it could have taken “1 minute” to achieve privilege escalation—all because of a missed misconfigured SUID binary.
A key takeaway from that box is: whether you use linpeas or manually run:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
does not really matter if important details are missed. It’s generally a good practice to establish a systematic approach to learning and solving problems. Needless to say, this applies well to cybersecurity exercises—whether in pentesting, red teaming, or attacking a box, where the trade-offs between a lead over another can be costly.
Scenario
Let’s say you’re a red teamer or are attacking a box at your favorite CTF platform and came across the following:
alice:~$ find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null-rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device-rwsr-sr-x 1 root root 14488 Apr 8 18:36 /usr/lib/xorg/Xorg.wrap-rwsr-xr-x 1 root root 26944 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys-rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd-rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight-rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset-rwsr-xr-- 1 root messagebus 51344 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper-rwsr-xr-x 1 root root 477672 Jan 2 09:13 /usr/lib/openssh/ssh-keysign-rwsr-xr-- 1 root dip 395144 Jul 23 2020 /usr/sbin/pppd-rwsr-xr-x 1 root root 44784 Feb 6 04:49 /usr/bin/newgrp-rwsr-xr-x 1 root root 55528 Apr 9 08:34 /usr/bin/mount-rwsr-xr-x 1 root root 166056 Apr 4 2023 /usr/bin/sudo-rwsr-xr-x 1 root root 67816 Apr 9 08:34 /usr/bin/su-rwsr-xr-x 1 root root 85064 Feb 6 04:49 /usr/bin/chfn-rwsr-xr-x 1 root root 39144 Apr 9 08:34 /usr/bin/umount-rwsr-xr-x 1 root root 88464 Feb 6 04:49 /usr/bin/gpasswd-rwsr-xr-x 1 root root 68208 Feb 6 04:49 /usr/bin/passwd-rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount-rwsr-xr-x 1 root root 53040 Feb 6 04:49 /usr/bin/chsh-rwsr-xr-x 1 root root 14728 Oct 27 2023 /usr/bin/vmware-user-suid-wrapperWhen you’ve done enough tests in the past and came across lists after lists of SUID binaries, you’ll find that what stands out in that are the enlightenment ones. The rest of the binaries are known to typically have their SUID bit set as they require escalated privileges to run.
A quick search on what this enlightenment is will yield an associated CVE-2022-37706 that allows privilege escalation due to mishandling of /dev/... Here’s the link to the exploit for more details
Using the exploit, gives us the escalated privileges. So anything that stands out is worth the check, but missing that out altogether would mean a rabbit hole of all other vectors that can take time and energy.
Bottom line
There are several ways to approach a given machine and sometimes, no matter the preparation or experience, it may be inevitable to take the longer route only to find out the solution has been staring us in the face. Take comfort in that it simply signals the need to tweak our system and do better another time.