i was trying a CTF, where i found base64 binary as SUID. I checked through linpeas too where it said its vulnerable .I tried to escalate privilege by using following steps:
1.Made a file named exploit and put following code in it. ''' chmod +s /bin/sh '''
2.Now i encoded it in base64 ''' cat exploit|base64 ''' resulting to Y2htb2QgK3MgL2Jpbi9zaAo=
3.Then i used the following code to get it executed.
'''base64 -d <<< Y2htb2QgK3MgL2Jpbi9zaAo= |sh''' and it says operation not permitted
i tried changing the exploit script to '''/bin/bash -p''' and ''' #!/bin/sh /bin/bash -p '''
but it just gives me a normal bash shell. can anyone explain why is the base64 being a SUID and vulnerable not giving a root shell and how to get root shell? (Sorry if i did something terribly wrong...m just a learner :)
It is not an exploit at all. You just try to execute chmod command, and there is no difference if you are trying to execute it from shell, or encode/decode to base64 and then execute it from shell.
I suppose, the initial idea was to encode chmod command and give obfuscated command to very-very stupid user. who has superuser privileges , so he will execute it with superuser privileges and anybody, who run "sh" will run sh with superuser privileges.
Summary: encoding to base64 is not a vulnerability or exploit. It is just encoding something to string. The way how you will find the possibility to run this with superuser privileges should be an exploit.