SUID (Set User ID) and SGID (Set Group ID) binary exploitation targets executables that run with the permissions of their owner or group rather than the executing user. When SUID binaries owned by root contain vulnerabilities or unintended functionality, attackers leverage them to run commands as root.
Attackers enumerate SUID/SGID binaries and cross-reference discovered binaries against known exploitation databases like GTFOBins. Exploitable SUID binaries include those that allow shell escapes (vim, find, nmap with interactive mode), binaries that read or write arbitrary files, binaries vulnerable to environment variable manipulation through PATH hijacking, and custom applications with command injection vulnerabilities. Attackers invoke the binary built-in functionality in unintended ways or manipulate the execution environment. For SGID binaries, exploitation grants group-level access that may include reading sensitive files through shadow group membership.
SUID/SGID binaries are one of the most common and well-understood privilege escalation vectors on Linux. Despite being a known risk, organizations frequently deploy unnecessary SUID binaries or fail to audit existing ones. A single overlooked SUID binary on an interpreter or file manipulation tool can provide instant root access. Regular SUID auditing is a fundamental security hygiene practice.
CDA addresses SUID/SGID exploitation within the SPH domain as a core security hygiene topic. Theater missions include both exploitation exercises and hardening tasks where operators remove unnecessary SUID bits and implement alternatives. This reflects CDA operational philosophy: understand the attack to build the defense.