Linux uses suid vim.basic file to achieve privilege escalation

Reproduce on Kali

First set suid permissions for the required vim.basic file

chmod u+s /usr/bin/vim.basic

First adduser test1 a normal permission user

Now is a suitable environment for privilege escalation

You can find files with suid permissions by using the following command

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

The files that can be used to escalate privileges are

• nmap
• vim
• find
• bash
• more
• less
• nano
• cp

The idea of ​​using vim to elevate privileges is to modify the etc/passwd file and add a user with root privileges for yourself

The user format of the passwd file is: username:password:uid:gid:comment:home directory:user's shell

Here you can see the format of the root user

root:x:0:0:root:/root:/bin/bash

(The password part is x because the real password is stored in the /etc/shadow file)

Generate a password: use openssl passwd -1 –salt asd 123 (here is -1 (number 1) not L)

Write it directly in the passwd file.

toor:$1$asd$sTMDZlRI6L.jJEw2I.3x8.:0:0:root:/toor:/bin/bash

You can modify it with vim /etc/passwd, but when saving, E212 will appear, and it cannot be saved, prompting us that we do not have permission to modify this

At this time, you should use the vim.basic file found earlier to run it. This program has suid permissions. Definitely editable

vim.basic /etc/passwd

Use this to open, then modify the file and save it successfully

You can see that it has been added, switch to su toor, password 123, and then check the permissions with id

root permissions

chmod u+s /usr/bin/vim.basic

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.