Reputation: 1
How to escalate privilege through base64 binary when it is SUID
i was trying a CTF, where i found base64 binary as SUID. I checked through linpeas too where it said its vulnerable .I tried to escalate privilege by using following steps:
1.Made a file named exploit and put following code in it. ''' chmod +s /bin/sh '''
2.Now i encoded it in base64 ''' cat exploit|base64 ''' resulting to Y2htb2QgK3MgL2Jpbi9zaAo=
3.Then i used the following code to get it executed.
'''base64 -d <<< Y2htb2QgK3MgL2Jpbi9zaAo= |sh''' and it says operation not permitted
i tried changing the exploit script to '''/bin/bash -p''' and ''' #!/bin/sh /bin/bash -p '''
but it just gives me a normal bash shell. can anyone explain why is the base64 being a SUID and vulnerable not giving a root shell and how to get root shell? (Sorry if i did something terribly wrong...m just a learner :)
Upvotes: -2
Views: 3407
Answers (1)
Reputation: 1428
It is not an exploit at all. You just try to execute chmod command, and there is no difference if you are trying to execute it from shell, or encode/decode to base64 and then execute it from shell.
I suppose, the initial idea was to encode chmod command and give obfuscated command to very-very stupid user. who has superuser privileges , so he will execute it with superuser privileges and anybody, who run "sh" will run sh with superuser privileges.
Summary: encoding to base64 is not a vulnerability or exploit. It is just encoding something to string. The way how you will find the possibility to run this with superuser privileges should be an exploit.
Upvotes: 0
Related Questions
- suid binary privilege escalation
- Execute after base64 decode
- Can't drop privileges with suid binary?
- Decode from base64 and execute command
- Setting SUID/SGID permissions to an executable
- SUID not working with shell script
- shell script to set the suid bit as root user
- suid bit script perl
- run bash script with suid set on file
- Linux SUID config cause binary file fail to execute