search

Class Activity 10.1 - Linux - Permission Vulnerabilites

effective_user.c Code

The following 'C' program prints out the "effective user name" of the running process as opposed to the user who invoked that process. So if bob runs this program, bob would be printed out. If it is run as sudo, root would be printed out. If the suid bit is set, the owner of the file will be the effective user. So if root owns the file and bob runs it, the effective user will be root.

                                  
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <pwd.h> 

/*
* make sure to run the follwing:
* sudo chown root:root nameofprogram
* sudo chmod u+s nameofprogram
*/

 int main(int argc, char *argv[])
  {
    struct passwd *pw;
    uid_t uid;

   uid = geteuid ();
   pw = getpwuid (uid);
   if (pw)
     {
      puts (pw->pw_name);
      exit (EXIT_SUCCESS);
     }
   else
   {
     puts ("Error");
     exit (EXIT_FAILURE);
   }
 }
chevron-rightExplanation of Code hashtag

hashtag
Headers:

  • These are headers that have to be included in the code in order for the program to complie and work properly.

  • sudo chown root:root nameofprogram changes the ownership of the complied program to the root user

  • sudo chmod u+s nameofprogram sets the SUID bit, which makes the program run with the effective user ID of the file owner, not the real user ID of the person running the program. So if Bob runs this SUID program owned by root, the program runs as root even though Bob invoked it

  • int main(int argc, char *argv[]) This is the program's entry point. argc and argv are standard arguments to receive command-line input, though unused in this program.

  • struct passwd *pw; A pointer to a passwd structure, which stores user information (from /etc/passwd)

  • uid_t uid; A variable to store the User ID

  • uid = geteuid();returns the real user ID of the process (the user who invoked the program, not the effective ID).

  • pw = getpwuid(uid); takes a UID and returns a pointer to the corresponding passwd struct (which includes the username, UID, GID and home directory)

  • pw->pw_name gives the username associated with the UID

hashtag
If found, print the username:

hashtag
If user info isn't found:

hashtag
Deliverable 1:

Using the code above, create a file called effective_user.c and compile and execute the file as a normal user and using sudo. Provide a screenshot similar to the one below.

hashtag
Checking File Permissions

Deliverable 2. What are the octal (numeric) permissions of the effective_user program? Using ls -l you should be able to calculate these permissions, you can also use the "stat" program as a shortcut. Remember r=4,w=2, x=1, and "-" is a 0

  • Input the command ls -l effective_user

  • You will see permission information of the file effective_user

octal permission for effective_user file

Above we see the octal permissions of the effective_user program. In order to double-check this, we can also use the⁣ stat ⁣command in order to display detailed information about a file or directory, including permissions, ownership, size, timestamps, and more.

circle-exclamation

The dash at the front of the permissions is not a permission bit. It shows file type:

  • - = regular file

  • d = directory

  • l = symbolic link

  • c = character device

  • b = block device

When we write the 0 front of 755 that isn't saying that the leading - is equal to zero, that is saying "read this as an octal notation". Is the dash was a d or a c it would still be written as 0755 (given that there is no UID set).

hashtag
Octal permission for /etc/bin/passwd

The /usr/bin/passwd program has the suid bit set which means that the program runs with the owner's permissions (root).

This makes sense because when a normal user changes their password the /etc/passwd and /etc/shadow files must be changed.

Note the leading 4 in the octal code. This indicates a suid executable (the 'x' is implied).

Octal permission for /usr/bin/passwd
Octal permissions of /etc/bin/passwd
Special Mode
Octal
Description

SUID

4---

Set User ID on execution

SGID

2---

Set Group ID on execution

Sticky

1---

Sticky bit (for directories, mostly)

SUID + SGID

6---

Both SUID and SGID

SUID + Sticky

5---

SUID and Sticky bit

SGID + Sticky

3---

SGID and Sticky bit

All three

7---

SUID + SGID + Sticky

Octal
Permission
Meaning

0755

rwxr-xr-x

Standard executable

4755

rwsr-xr-x

SUID set, runs as owner

2755

rwxr-sr-x

SGID set, runs as group

1755

rwxr-t r-x

Sticky bit set (for dirs)

hashtag
Changing File Permissions

Deliverable 3. Figure out how to change the ownership of your c program executable such that the file is owned by user: root and group: root. Once you've done that, add the suid bit to the program

Changing the owner and group owner of the effective_user file
Reseting the UID

  • sudo chgrp root effective_user

    • Change the group ownership of the effective_user file to root

  • sudo chown root effective_user

    • Change the owner of the effective_user file to root

  • sudo chmod u+s effective_user

    • Reset the UID for the effective_user file.

    • u = user (the files owner)

    • + = add a permission

    • s = setuid bit

hashtag
Searching for SUID Programs in a System

Deliverable 4. Hit the internet and find a means to search for suid programs across your kali system. Do so as a normal user, as this is a privilege escalation technique you might use. Make sure to document this. You will need to deal with permissions errors by piping those to /dev/null. Provide a screenshot showing your command and listing similar to that below. Your own sudo program should be in the list.

hashtag
How to find files with SUID Set in Linux

hashtag
How to find files with SGID in Linux

hashtag
How to file files with SUID and SGID set in Linux

hashtag
How to pipe permission errors to /dev/null

This redirects standard errors to /dev/null, effectively silencing any permission denied or error messages you would normally see when find tries to access protected directories.

If you redirected both 1 and 2 to /dev/null, you’d discard everything the command might print.

circle-info

hashtag
Here's how the standard file descriptors are numbered:

Descriptor
Name
What It Means

0

Standard Input (stdin)

Where the program reads input from (usually your keyboard or piped input).

1

Standard Output (stdout)

Where the program writes normal output (usually your screen).

2

Standard Error (stderr)

Where the program writes error messages (also usually your screen).

LogoHow to Find Files With SUID and SGID Permissions in LinuxHow to Find Files With SUID and SGID Permissions in Linuxchevron-right
Sudo file displayed when looking for SUID files

hashtag
Finding the Hidden SUID Program

Deliverable 5. A suid program has been hidden on rocky (10.0.17.200). Please hunt it down. Provide a screenshot that shows the command and file found. It will be obvious and the name will start with a 'b'.

  • Login to sec335-rocky (10.0.17.200) from kali using ssh and your cyber.local credentials

    • ssh firstname.lastname@cyber@10.0.17.200

Secret SUID file /
Using stat to check the permissions of the booger file

hashtag
Find the World Writeable File

Deliverable 6. Create a user created a file under /etc that is world writable. Were this file to be of any security relevance, this could be a problem. Create such a file, and figure out how to find it. Show your command.

  • sudo nano /etc/hannelore_test.txt

  • sudo chmod o+w /etc/hannelore_test.txt

    • o+w means that this file is world writable

    • In Linux, a file “world writable” is a file that everyone can write

  • I used grep so I could specifically find my file (there were A LOT of world writable files)

Finding my user name world writable file

Deliverable 7. A world writable file has been hidden on rocky. Please hunt it down. It will start with an 's'.

  • -type f

    • We know that we are looking for a file, so we can filter our searches with this flag so that we don't get directories.

  • grep -v -e '/sys' -e 'proc'

    • We were told that its not in the sys or proc directories so we can use this command to filter them out.

    • -v invert match, ie exclude the following pattern

    • -e specifiy one or more patterns to be used during a search

PreviousModule 10: Permission Errors and Exploiting NancurinirNextLab 10.2 - Exploiting Nancurinir

Last updated