By: Kavin Jindal

Enumerating and exploiting SUID binaries is one of the most critical steps in escalating an attacker’s privileges on a Linux machine. It’s also one of the easiest approaches to exploit a target if the attacker can find a vulnerable binary with the SUID bit set. However, there may be instances when segregating a custom file from the default binary becomes a tedious task, and unless one is highly experienced in SUID enumeration, it can be quite challenging to find an exploitable binary on a system.

In today’s write-up, we’ll go through an underrated tool that solves all your problems regarding SUID enumeration and eases the process of exploiting vulnerable binaries.

SUID3NUM.py

This is a standalone Python script by Syed Umar Arfeen (Anon-Exploiter) that enumerates SUID bins on a system and segregates the custom and default binaries by using GTFO Bins. It’s an easy-to-use tool that doesn't require any prerequisite installations and can be run straight away on the system, as long as Python is available.

Official Repository of SUID3NUM

Before I demonstrate the tool and showcase its usage, let’s briefly talk about SUID bits.

What is SUID?

SUID is a special file permission. Any file having the SUID bit enables it to execute as the user owning the file, irrespective of the user initiating the command to run it. This makes it a crucial endpoint to elevate the user privileges on a system and eventually gain complete access to the shell.

Let’s consider a small example.

I have gained an initial foothold on a system as a normal user. While conducting basic enumeration, I found a Docker binary that had the SUID bit set.

-rwsr-xr-x 1 root root /usr/bin/docker

Here s denotes the SUID sticky bit.

This tells me that even though the file is owned by the root user, I can execute it, and despite not having superuser access, the file will run with root privileges.

Therefore, I go to GTFObins and search for docker where I find the following exploit.

sudo install -m =xs $(which docker) .
./docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Upon using those functions in the target system’s shell, I will successfully elevate my privileges to superuser and gain complete access to the target. It’s that easy.

To know more about enumerating SUID binaries, refer to the following resources:
https://juggernaut-sec.com/suid-sgid-lpe/
https://juggernaut-sec.com/suid-sgid-part-2-lpe/

Demonstration

To showcase the functioning of SUID3NUM, I will use a machine where I have already obtained an initial foothold as the user john. From here on, I will try to escalate my user privileges.

Here in the machine, I have downloaded the SUID3NUM Python script in the /home/john directory via a local HTTP server. You can do the same by cloning the GitHub repository of SUID3NUM on the attacker machine and running an HTTP server in the directory where the script is located. Following that, you can use wget any other similar tool to download the script onto the target machine.

As there are no prerequisites required to be installed, we can straightaway run the script via Python 3 using python3 SUID3NUM.py.

Keep in mind that it might take some time for the tool to enumerate the binaries.

In a minute or two, you will see the output as follows.

Initially, it will list out all the binaries it could find on the system.

It’s quite tough and time-consuming to differentiate between binaries that can be exploited from this long list and the ones that are not vulnerable. Therefore, this tool segregates the custom and default binaries separately for better clarity on the bins that can be maliciously used.

There are still a lot of custom SUID bins set up on the machine. The number of custom binaries varies from one system to another, and you never know how many you will come across. Hence, to make things even easier, SUID3NUM filters out the binaries it found on GTFOBins.

See? It’s that simple. Here the base64 and busybox binaries were found vulnerable according to the list of bins present on GTFOBins. You can use the relevant functions for the filtered binaries available on the given website and elevate your shell to root.

But if you are feeling too lazy to do so and want more handholding, then this tool does that too.

It will list out the functions you can use to escalate user privileges. All you are supposed to do now is copy and run it on the shell. Here it results out /usr/bin/busybox sh .

Auto Exploitation

This tool also provides the luxury of auto-exploitation of the found binaries on the system. Using this will automatically give you an elevated root shell within seconds. All you have to do is use the -e flag.

python3 SUID3NUM.py -e

As you can see, we have elevated our privileges on the system successfully. All it took was a minute, which is a lot easier than researching every single bin on the machine manually and attempting to exploit them.

Conclusion

This was a very simple showcase of SUID3NUM. I came across this tool a few weeks ago and was blown away by how much time and energy I was saving after putting it to use for enumeration. It saved me from the guesswork and endless research I would have to do in order to achieve full access to the system.

Even though it’s not the best practice to completely rely on tools everywhere, a tool like this can prove useful in instances where time plays an important role.

I hope you found this post helpful. To read more cybersecurity-related content, follow Avyukt Security.

Happy Hacking!