At 8:54 when you typed zsh you were login as root that's why you have the # in your prompt and I guess that was why it didn't ask for permission you are running in root context not as an ordinary user
He got the root zsh because SUID bit was set for zsh. If it wasn't the case, he would have got the non-root zsh. that's the whole point of SUID Vulnerabilities!
@@hetsoniiWhat admin in there right fucking mind would set the SUID on a fucking shell, there are some things that need to be run as root and you can use something like gtfobin to escape then and get a sh. i remember using man to privesc during the eJPTv2 exam, this would be a more practical way of privesc like finding out what is already allowed on the system to run as root for the user by typing sudo -l and heading over to gtfobins for example "man" sudo man man !/bin/sh
Helped me a bit to understand how the SUID bit works, but what would even be the reason to add the SUID bit to some executable?
Great video! Thanks for sharing.
Amazing Demo!
Breaking news:
Allowing users to execute a shell as root allows them to get a root shell
Nice observation
can you block someone from using zsh?
At 8:54 when you typed zsh you were login as root that's why you have the # in your prompt and I guess that was why it didn't ask for permission you are running in root context not as an ordinary user
He got the root zsh because SUID bit was set for zsh.
If it wasn't the case, he would have got the non-root zsh. that's the whole point of SUID Vulnerabilities!
That’s the point he was trying to explain!
@@hetsoniiWhat admin in there right fucking mind would set the SUID on a fucking shell, there are some things that need to be run as root and you can use something like gtfobin to escape then and get a sh. i remember using man to privesc during the eJPTv2 exam, this would be a more practical way of privesc like finding out what is already allowed on the system to run as root for the user by typing sudo -l and heading over to gtfobins for example "man"
sudo man man
!/bin/sh
What if u are not in sudoers group
It’s not a vulnerability but a functionality
A functionality that leads to vulnerabilities like any functionality
@@creed404 Just like TCP...