> For the complete documentation index, see [llms.txt](https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/labs/lab-10.1-linux-permission-vulnerabilities.md).

# Lab 10.1: Linux - Permission Vulnerabilities

suid Programs

```c
#include <stdlib.h>
#include <pwd.h>
#include <stdio.h>
#include <unistd.h>

/*
SEC335 Illustrate SUID Programs
* based on: https://stackoverflow.com/questions/8953424/how-to-get-the-username-in-c-c-in-linux
* Make sure run the following
* sudo chown root:root nameofprogram
* sudo chmod u+s nameofprogram
*/

int main(int argc, char *argv[])
{
  struct passwd *pw;
  uid_t uid;

  uid = geteuid ();
  pw = getpwuid (uid);
  if (pw)
    {
      puts (pw->pw_name);
      exit (EXIT_SUCCESS);
    }
  else
  {
    puts ("Error");
    exit (EXIT_FAILURE);
  }
}
```

**Deliverable 1.  Using the code above, create a file called effective\_user.c and compile and execute the file as a normal user and using sudo.  Provide a screenshot similar to the one below.**

<figure><img src="https://lh3.googleusercontent.com/hlQJBJF7ZcppRQ10aJ9IA-xv-EThBJ-ld--TDQtrD9UqKAskzCswDJy7jGqr_JkHiDiUEpwN4qjdhOBfRN9VioMfdxpWyx_98A3uMpyPAbf5U9U-Jc0w_L6wDaN1c2I9agc2LLljJL8t2f4iIUwkf9o" alt=""><figcaption></figcaption></figure>

**Deliverable 2.  What are the octal (numeric) permissions of the effective\_user program?  Using ls -l you should be able to calculate these permissions, you can also use the "stat" program as a shortcut.  Remember r=4,w=2, x=1, and "-" is a 0**

<figure><img src="https://lh6.googleusercontent.com/DlZfqki3ky55V5IOxAcKX5xnA67dGLl1TGGYyzyz2nzRJIQ1tr-mf5UgoprVHa8ePM6jNlPzwZdLWeEssexY1_g03xtMYZQSN8d3vbcx3U-kYrvMguyjx3w9aMJ63u-GRpulhTzMRbkQEJumCY4NZec" alt=""><figcaption></figcaption></figure>

Repeat the following use of ls -l and stat on the passwd program

<figure><img src="https://lh6.googleusercontent.com/fxCOYVS2AurCkyITnZwq1g8GaOe8rKwru01srzXi_sM80T9hWv-rTbcXVbsqqc01RyLhfxr_rgeuZVAEJPh_9hkf-3GzRhNEX9VUc0jvTHQdQd9Mk4BmV60rxqaMQd654q316bAMqb3e1p7trKMI5dU" alt=""><figcaption></figcaption></figure>

**Deliverable 3.  Figure out how to change the ownership of your c program executable such that the file is owned by user: root and group: root.  Once you've done that, add the suid bit to the program (this is shown in the screenshot) and execute the program as a normal user.  Provide a screenshot similar to the one below:**

<figure><img src="https://lh5.googleusercontent.com/8Jt8QiJq6Sgp8U6hrFPY_odVNmLYP85waL37ZWkhcZxh5Tdr_8ftEBcIOCAasAFH3I-MLpjk5gK4z-WomIGfmA4JWlIwUcPyJ5_LIz4UkF2XboVASvp5l2DOx7sAtncK_J4TWvPgk4yt-d8uqEBpUG0" alt=""><figcaption></figcaption></figure>

**Deliverable 4. Hit the internet and find a means to search for suid programs across your kali system.  Do so as a normal user as this is a privilege escalation technique you might use.  Make sure to document this.  You will need to deal with permissions errors by piping those to /dev/null.  Provide a screenshot showing your command and listing similar to that below.  Your own sudo program should be in the list.**

```bash
find / -perm -4000 2>/dev/null
```

<figure><img src="https://lh6.googleusercontent.com/-hNTPqgu3pOsXZK23K4JH_k0udmTRdjqG4OD4rGFzQOTKLcp8HQ-jFsdsEA3QVus7LncuCvzddCbNw4fwGvjmlJk-rFWizuI-TWsZhi9xbIvMu4ZkOfakVJZBMcSV61KqahGVSaotu5IAXDmVNnNHD0" alt=""><figcaption></figcaption></figure>

**Deliverable 5.  A suid program has been hidden on rocky (10.0.17.200).  Please hunt it down.  Provide a screenshot that shows the command and file found.  It will be obvious and the name will start with a 'b'.**<br>

<figure><img src="https://lh6.googleusercontent.com/zoJUsOgpbRncm4lBptGFMlQv6e5Px_EzOTqaLLKcWxXutcMgClOAy8rDlpwl7Rq734kPm8GIdRzhtRlwh0TfHJWWsXVCBIIxF3FLEJ9PcRo_cYAGl7Y2nehqq3SWB_Q_vVrN3jsZ5PE7w5HafT3gWvw" alt=""><figcaption></figcaption></figure>

### rwx errors

**Deliverable 6.  Consider the following screenshot.  This user created a file under /etc/ that is world writable. Were this file to be of any security relevance, this could be a problem.  Create such a file, and figure out how to find it.  Show your command.**

```bash
find /etc -type f -perm /o+w 2>/dev/null
```

<figure><img src="https://lh4.googleusercontent.com/qABtMdChM9wv_xDLEphjXcpDQxfVPrhCA9mNIZRHvRhw3a1Zx4wVasXxEWXRwMNamKuPRuNtre0jnQmwQ57xUXIwIeiva4KCIL9jtuJo6IEf5VgDjrV5wCvieEr6R5k7xtLZtuD5Sg8awjSkN1dFDCA" alt=""><figcaption></figcaption></figure>

**Deliverable 7.  A world writable file has been hidden on rocky.  Please hunt it down.  Provide a screenshot that shows the command and file found.  It will start with an 's'. (note, the sys and proc directories will give you a lot of false positives)**

```bash
find / -type f -perm /o+w 2>/dev/null | grep -v "^.*sys.*" | grep -v "^.*proc.*"
```

<figure><img src="https://lh3.googleusercontent.com/5Wtuw5Rq6IITh9ht94tmrlpYDJEcZuQKM5fTGbtvjr6Gkl4YqOSuU_IJO6JtWldaOPSJc0AD2dDKS-bdo1psNcsmddhg6PBBbkA8_E6AnXKPSK5Ag-Mf8LNVduu4NymhpjgHbtYtdw6h1Y9kd1IHVYg" alt=""><figcaption></figcaption></figure>
