OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

Linux Privilege Escalation via Find Command

Endpoint Security Validation
Detection Rule Validation

概要

Check your SUID/SGID, exploit it and validate your security platforms works as expected

This scenario focuses on the discovery and exploitation of SUID misconfigurations on Linux systems, specifically targeting the find binary 🐧. The objective is to achieve privilege escalation to root by abusing an improperly configured SUID find binary.

🎯 Scenario Objective

When the find binary is owned by root and has the SUID bit set, it can be abused to execute commands with root privileges. This scenario demonstrates how such a misconfiguration can lead to full system compromise ⚠️.

🧩 Scenario Workflow (5 Steps)

🔍 SUID Enumeration The scenario begins by identifying binaries with the SUID bit set across the system to locate potential privilege escalation vectors.

🔎 SGID Enumeration Next, binaries with the SGID bit set are enumerated to further assess privilege escalation opportunities.

📖 Unauthorized File Read via SUID find The SUID find binary is exploited to read a restricted file, such as the root user’s history file, which should normally be inaccessible.

✍️ Unauthorized File Write The scenario demonstrates how find can be abused to write files into protected directories, bypassing standard permission controls.

⚡ Root Command Execution Finally, the SUID find binary is leveraged to execute arbitrary commands with root privileges, resulting in full privilege escalation.

🛠️ Detection & Exploitation Technique

This scenario showcases a realistic Linux privilege escalation path by chaining enumeration and exploitation techniques commonly observed in real-world attacks. It highlights the risks associated with misconfigured SUID binaries and emphasizes the importance of proper permission management 🔐.

🎯 Use Cases

This scenario is ideal for:

🧪 Privilege escalation testing on Linux systems

🔐 Auditing SUID / SGID misconfigurations

🎓 Training and demonstration of local Linux exploitation techniques

🧠 Understanding post-exploitation attack paths

基本情報

Filigran
Sébastien Miguel
2026年7月01日
2.0.14
90+
6

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。