Wednesday, July 7, 2021

How To Run ANY COMMAND As The Owner Of The Script (setuid)

1. Save the below code as file a.c 
    int main(int ac, char **av) {
        int uid;
        uid = geteuid();
        setreuid(uid, uid);

        char **arguments = av + 1;
        system(*arguments);

        return 0;
    }
2. As userA, compile it, ie 
    gcc a.c -o aaa
3. As userA, set the sticky bit, ie 
    chmod 4755 aaa
4. now you can run any command as UserA, like this: 
    >aaa 'whoami'
    userA

    >aaa 'touch file1'
    >ls -al file1
    -rw-r----- 1 userA group
- No comments:
Subscribe to: Posts (Atom)

How To Bypass Kerberos(kinit) Authentication

Whenever you try to setuid and impersonate as someone else to run something, it is very likely that you will run into kerberos/kinit issues....

  • Tokyo day 3 - 03 April 2016
    8am woke up. 10am walked to nearest 7-11 that we visited last nite. Hitting our luck and ask the joy if he sees a dropped pasmo card here...
  • Tokyo day 7 - 07 April 2016
    Today is a rainy day. It has already rained the whole night last night. 7am woke up 8am left house. 9am reach Roponggi. It was raining, not...
  • Tokyo Day 2 - 02 April 2016
    Woke up at 8am. Left house at 10am. Reached Otemachi Station at 11am. Visited the Imperial Palace. There were a lot of people, but the...