Setuid and Setgid

Setuid is a Unix file flag that allows an executable to be run with the permissions of the file owner. It is often used to allow a user to perform tasks that would otherwise require privileged access.

Setgid is the same concept but instead applies to groups rather than users.

Let's take a look at the following example:

-rwsr-sr-x 1 root root 122 May 14 22:25 thefile

setuid is indicated by the first s whereas setgid is indicated by the second s.

Setting Permissions

# Change the setsuid flag:
chmod u+s $file

# Change the setgid bit:
chmod g+s $file 

# Change both the setuid and setgid bit:
chmod +s $file 

Locating SUID/SGID Binaries

# Locate suid and sgid-enabled files for the current user
find / -perm -u=s -type f 2>/dev/null

Escalating Privileges

Escalating privileges with these bits greatly depends on the binary that we haev in our posession. One of my favorite ways to search for what an binary can do is by referencing GTFOBins:

GTFOBinsgtfobins.github.io

References

Privilege Escalation via setuidantonyt.com