@BugsBunny said:
I under what all the parts of .rwxrwxrwx root root mean but I’m not really sure when this information ever becomes useful?
Part of the problem answering this is that the real answer is “it depends”, which isn’t very helpful.
The information becomes useful when it is useful for an attack. A lot of the time it is just noise, so experience is really the best teacher here.
It is not possible to say “all files with the sticky bit set are useful for exploitation.” At best we can say “it is worth checking for files with the sticky bit set to see if anything unusual appears and then maybe that can be exploited.”
- Can I use the fact a file has SUID SGID bit set?
Yes. But the value to you depends on what the file is/does. If you don’t know what is normal for the OS, then it is hard to make this useable.
For example, you will often find /usr/bin/passwd has the sticky bit set, but this is normally not something you can exploit (if you do, its worth reporting it and getting it fixed).
However, if you find /opt/personal/myownfile is set to run as root, then there is a good chance it is exploitable (on a CTF, possibly not if its a live system which has been through a pentest etc).
Have a look at your own system and see what is set up to run as root. This is a good way to determine normal.
- Is it significant when a file has a symbolic link?
Normally, no. I wouldn’t use this as a way to prioritise binaries in my enumeration.
However, there are exceptions to this but they are a minority.
- If I have just got onto a shell as, for example, user bob, do i treat files that are owned by bob any differently to files not owned by bob?
Yes. If you can read, write or execute files which belong to other users then it is possible that you can use this to progress the attack. However, this can be a needle in a needle stack.
An example is if you have a shell as bob and bob can read alice’s files, and in one of alice’s files there is a password.txt with alice’s password, this is definitely something you can use.
This is rare though, so dont assume it will be there.
If you have a shell as bob and there is an executable file owned by alice, which runs as alice, then it might be a way to become alice.
Again, this is not common.
But you need to understand who owns what on the filesystem. Enumeration is one of the most important things to do, even though it can feel tedious and is certainly not as exciting as issuing arcane commands to get a reverse shell.
Really, you need to read and understand the environment you are in.
Also as a slightly off topic question is it possible to change my UID? For example I login as Bob UID 997 and I need to be Steve UID UID 998 is there a way to change between the two as a way of moving laterally?
Well, finding the way to do this is how you move between accounts. The most basic is compromise Steve’s account and su steve
or ssh steve@machine
. You cant just “do” it as part of the OS commands.