Wednesday, July 7, 2021

How To Run ANY COMMAND As The Owner Of The Script (setuid)

1. Save the below code as file a.c 
    int main(int ac, char **av) {
        int uid;
        uid = geteuid();
        setreuid(uid, uid);

        char **arguments = av + 1;
        system(*arguments);

        return 0;
    }
2. As userA, compile it, ie 
    gcc a.c -o aaa
3. As userA, set the sticky bit, ie 
    chmod 4755 aaa
4. now you can run any command as UserA, like this: 
    >aaa 'whoami'
    userA

    >aaa 'touch file1'
    >ls -al file1
    -rw-r----- 1 userA group
-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How To Bypass Kerberos(kinit) Authentication

Whenever you try to setuid and impersonate as someone else to run something, it is very likely that you will run into kerberos/kinit issues....

  • Tokyo day 3 - 03 April 2016
    8am woke up. 10am walked to nearest 7-11 that we visited last nite. Hitting our luck and ask the joy if he sees a dropped pasmo card here...
  • Tokyo day 7 - 07 April 2016
    Today is a rainy day. It has already rained the whole night last night. 7am woke up 8am left house. 9am reach Roponggi. It was raining, not...
  • Tokyo day 4 - 04 April 2016
    8am woke up 10am leave house. Went to shunjyuku Calico cat cafe. Asked then and see whether they got any lost and found item. Sooooooo happy...