So here is the situation. I have a hypothetical system with 2 users - 'user1' and 'root'. The user 'user1' is just a normal non-sudoer user with uid=1000, and the root, is just a normal root user with uid=0.
Let's say that through a certain exploit in the system user1, can get euid=0, but his uid still remains 1000. This sort of gives him some root abilities but not all. For example: accessing /root, is done as if the root is attempting to do it, but running 'sudo' or 'su' seems to be ran as if based on UID and not EUID.
My question is: Is there an elegant way that doesn't require, uploading binaries, changing /etc/shadow or /etc/passwd to switch the uid to 0 as well, now that we have euid=0? It would also be great if the method works natively and doesn't assume that specific programs like gcc, for example, exsist.
So far I only managed to think out
-c 'import pty; import os; os.setuid(0); pty.spawn("/bin/bash")'
Asked by Bl4ckC4t
(11 rep)
Apr 14, 2021, 04:05 PM
Last activity: Jun 11, 2025, 12:06 PM
Last activity: Jun 11, 2025, 12:06 PM