How to do a privileges escalation with ping?

Question

I am trying to achieve a privilege escalation. I have a virtual machine on Linux and I escaped from an rbash terminal. I have now a "normal" user terminal. My user is not in the sudoers file.

Is it possible to perform a privilege escalation using the ping command?

SUID bit is permitted for /bin/ping but I do not know how to proceed from there. Can anybody help?

I wonder why distros haven't moved to setting the `cap_net_raw` instead of using the suid... — Giacomo Alzetta, Dec 16 '19 at 13:08
@Giacomo The Red Hat triad of RHEL, CentOS and Fedora has. (plus cap_net_admin) — Michael Snook, Dec 16 '19 at 14:18

score 32 · Answer 1 · answered Dec 16 '19 at 03:06

A SUID binary is not inherently exploitable for privilege escalation. The problem is when there is a vulnerability in the software (ex. many CTFs have a SUID binary that contains a buffer overflow vulnerability that can be exploited for privilege escalation) or an administrator sets the SUID bit on a binary that should not have it set. An extreme example of the latter would be an admin setting vim to SUID with owner root, allowing users to execute bash commands as root within a vim session (:![shell command]).

A quick reference check on this led me to this article on Linux privesc. You may find the section 3. Exploiting SUID Executables helpful.

The ping utility requires the binary to be owned by root and the SUID bit set because it sends/receives ICMP requests using "raw sockets" which only root can do. You would need to find either a vulnerable version of ping (I assume this is why @Arminius asked for the version) or a way to inject code/commands. Personally I have never been able to leverage ping in pentests or CTFs for privilege escalation, but that certainly doesn't mean it's not possible :)

A famous similar example is older versions of nmap which supported the --interactive mode. If the SUID bit was set (many scans such as the default syn scan -sS "require raw-packet privileges") then you could drop to a root shell from the interactive mode. More info is in the privesc link above on this if you're interested.

If you are looking at a CTF challenge, I typically start looking for obvious non-default SUID programs (ex. /opt/myprog/test.bin) first, and then come back to the "normal" suid programs like /bin/ping as a last resort after other checks are fruitless.

One way to quickly list all such files is to use find, for example: `find / -user root -perm -4000 2>/dev/null` — Zeta Two, Dec 17 '19 at 01:31
It stands to reason that the software in question could be the operating system or shell. Granted, you don't see as much of this sort of problem on Linux as you do on Windows. — corsiKa, Dec 17 '19 at 07:10

How to do a privileges escalation with ping?

1 Answers1