BIPI
BIPI

SUID/SGID Binary Abuse: GTFOBins and Custom Hunts

Cybersecurity

How to enumerate SUID and SGID binaries on Linux, map them against GTFOBins, and hunt the custom binaries that the public list will never cover for you.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 5, 2025 · 9 min read

#linux#privesc#suid#gtfobins#pentesting

SUID is still the gift that keeps giving

Set user ID on execute is a 1970s feature that refuses to die. Every Linux box has at least a handful of SUID root binaries, and at least one in ten production fleets has a custom one written by someone who left the company three years ago.

Enumeration that does not miss

  • find / -perm -4000 -type f 2>/dev/null for SUID
  • find / -perm -2000 -type f 2>/dev/null for SGID
  • find / -perm -6000 -type f 2>/dev/null for the combined bits
  • Pipe results through xargs ls -la to grab owner, group, and mtime
  • Diff the list against a known good baseline from a fresh install

Mapping against GTFOBins

GTFOBins at gtfobins.github.io is the canonical list of Unix binaries that can be abused once they carry SUID. The SUID category page is your first stop. For each binary on the box, search the page and check the exact exploitation snippet.

  • find with -exec /bin/sh -p, the -p preserves euid
  • vim.basic with :!/bin/sh, often missed on Ubuntu boxes
  • env with env /bin/sh -p
  • less and more shell escapes via the bang command
  • python with the os module spawning sh -p

Custom SUID binaries

Custom binaries are where the real findings live. Look in /opt, /usr/local/bin, application install directories, and any path with the company name. Pull the binary back to your lab and read it.

  1. file and checksec --file to confirm architecture and protections
  2. strings -a to surface hardcoded paths, commands, and config files
  3. ltrace and strace to see which libraries and syscalls are invoked
  4. Ghidra or Binary Ninja for the decompile when strings are not enough
  5. Look for system, popen, execv calls with attacker controllable arguments

Libc and library tricks

  • LD_PRELOAD is usually stripped by the dynamic linker on SUID binaries
  • LD_LIBRARY_PATH similarly, but check with ldd anyway
  • Custom RUNPATH or RPATH that points to writable directories is golden
  • readelf -d binary, grep for PATH to see embedded library search paths

Detection and hardening

  • Baseline SUID and SGID at build time, alert on any new entries via auditd
  • Mount /tmp, /var/tmp, /dev/shm with nosuid to block dropped SUID binaries
  • Replace SUID binaries with file capabilities where possible, ping is the classic example
  • Remove the SUID bit from anything that does not need it, chmod u-s
The GTFOBins list is necessary but not sufficient. The custom SUID binary that no one has audited since 2018 is where you actually win.

Workflow recap

Enumerate, intersect with GTFOBins, then audit the leftovers offline. Half the time the leftover is the finding, and it is the one you can write up with a proper CWE and remediation that the customer will actually understand.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.