During a penetration test, you find a SUID-root executable /usr/local/bin/backup on a CentOS host. Static analysis shows the binary calls tar -czf /var/backups/www.tgz www through system() without specifying an absolute path. You have write permission in /tmp. What is the most reliable way to leverage this flaw to obtain a root shell?
Monitor backup with strace to harvest file activity and brute-force /etc/shadow once root passwords are captured.
Create a custom executable named tar that launches /bin/bash, store it in /tmp, prepend /tmp to PATH, then run /usr/local/bin/backup so it executes your payload as root.
Set LD_PRELOAD to a malicious shared library and run /usr/local/bin/backup so the library is injected with root privileges.
Use ptrace to attach to backup at runtime and inject shellcode into its memory space to gain a root shell.
Because the SUID program invokes tar via system() without an absolute path, it trusts the caller's PATH environment variable. By planting a malicious executable named tar that spawns a shell and placing a directory you control at the front of PATH, the SUID binary will execute your payload with root privileges. LD_PRELOAD is scrubbed for SUID binaries, so a preload attack will fail. Ptrace injection requires root capabilities or CAP_SYS_PTRACE, which you do not have. Simply observing the process with strace does not grant privileges and brute-forcing /etc/shadow is unrelated to this specific vulnerability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
ELI5: What is a SUID-root executable?
Open an interactive chat with Bash
What is `system()` in programming?
Open an interactive chat with Bash
Why is modifying the PATH variable risky?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
System Hacking Phases and Attack Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .