Alright, So i have a setuid program that forks, and executes a program. I can control what program is executes, but if i run something like /bin/bash, I wont get the shell, since the program forks, so I dont have access to its stdin/stdout. What should I execute so I get access to a root shell.

The program basically runs tidy with execlp so I can add . to the path and add anything to a tidy executabel in the current dir. I ran the program I needed to run, but I get extra credit If i get a shell


I think I got
I'm gonna run a nc reverse shell on a port. Lets see if that work.
EDIT: did not work. the server had openbsd netcat so it does not have -e. What should I do?
EDIT2: nvm... The program sets the uid and gid to mine at the start of the program so It doesn't really matter. The uid is the same is mine, not root.

@kensp You'll need to include the SUID/SGID bit(s) on the resulting executable and then have it owned by root to have it SUID root. As for the root shell aspect, you need to either inherit the pointers to STDIN and STDOUT or replace the SUID image by having the parent process call `exec(3)` after some potential information from the child is received.

@architect actually the program dropped privs right at the start. They thought of that...

Still fun tho.

Sign in to participate in the conversation

Linux Geeks doing what Linux Geeks do..