0

Here is the scenario: running id gives this :

uid=1001(test1) gid=1001(test1) euid=1000(bl4ckc4t) groups=1001(test1) -

This means that I am user test1, but my euid is set to another user.

My goal is to get my uid to change to 1000 from my current position with my euid being 1000.

The problem is that running something like bash -i will just look at my uid and create a shell based on my uid, not euid.

The only thing I came up with, which does only work if you have euid=0 is:

python3 -c 'import pty; import os; os.setuid(0); pty.spawn("/bin/bash")'

Through python I can change my uid, and it works, except that if I try the equivalent for this case:

python3 -c 'import pty; import os; os.setuid(1000); pty.spawn("/bin/bash")'

it throws the exception OSError: out of pty devices

How can I achieve that change?

The general restrictions are to change it without uploading binaries, changing /etc/shadow or /etc/passwd. It would also be great if the method works natively and doesn't assume that specific programs, like gcc for example, exist.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bl4ckC4t
  • 3
  • 3
  • Find a way to call [setresuid(2)](https://man7.org/linux/man-pages/man2/setresuid.2.html) with appropriate arguments? But that seems rather obvious. What are your restrictions? Why are you trying to do this with funky Python one-liners? – Kevin Apr 14 '21 at 21:41
  • The problem is that from my current position i cannot run 'sudo -l' since it runs as if user test1 has ran it instead of running as if bl4ckc4t ran it. So I need a way to get a bash shell with uid=1000 – Bl4ckC4t Apr 14 '21 at 23:02
  • So yes, it's sort of finding a way to call the setuid and also spawn a bash shell with that changed uid. – Bl4ckC4t Apr 14 '21 at 23:08
  • Try bash or sh with `-p`? – multithr3at3d Apr 22 '21 at 23:51
  • @multithr3at3d that does't work, it just keeps the shell the same and doesn't change the uid, leaving the euid the same as it was – Bl4ckC4t Apr 23 '21 at 08:58

2 Answers2

2

The Linux system calls to do this are setreuid or setresuid, both available in section 2 of the manual. The difference is that setresuid lets you choose the saved user ID, whereas setreuid sets it automatically.

If you're using C/C++, this is easy; just #define _GNU_SOURCE and #include <unistd.h> (or the equivalent to call the relevant APIs in your language of choice). Languages that allow direct calls into C APIs should be similarly easy; the functions are defined in glibc (which many Linux programs already link against). If you're using another language that wraps the relevant APIs, such as python, consult the documentation for the wrappers in that language.

To then run another program as that user, either use a member of the exec API family (possibly the execve syscall directly) to become that program, or vfork/clone a new process and then exec inside it, or use system/popen. If not on C/C++, use the suitable program-execution / process-creation API in your language of choice.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • Ohhh, I see. Ok now I managed to change my uid, but 'sudo -l' still seems to not fully work for the new user. Now it seem to run on the correct user, but tells me that that user (bl4ckc4t) cannot run any sudo commands, which is not true. Maybe i need to change even the gid? Idk if that's possible without having my egid=1000 as well – Bl4ckC4t Apr 15 '21 at 12:15
0

In order to change just the uid you can use:

C/C++:

#define _GNU_SOURCE
#include <unistd.h>
void main() {
   setresuid(1000,1000,1000); // where 1000 is the new uid
   system("/bin/bash");
}

Python:

python3 -c 'import os; os.setreuid(1000,1000); os.system("/bin/bash")'

That gives a shell with id: uid=1000(bl4ckc4t) gid=1001(test1) groups=1001(test1)

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bl4ckC4t
  • 3
  • 3
  • "Ok so" are filler words that add no value. You can remove them and they do not modify the sentence at all. and "u" is not a word. Please do not roll back valid edits without at least adding some added value as well. – schroeder Apr 15 '21 at 13:09