So here is the situation. I have a hypothetical system with 2 users - 'user1' and 'root'. The user 'user1' is just a normal non-sudoer user with uid=1000, and the root, is just a normal root user with uid=0.
Let's say that through a certain exploit in the system user1, can get euid=0, but his uid still remains 1000. This sort of gives him some root abilities but not all. For example: accessing /root, is done as if the root is attempting to do it, but running 'sudo' or 'su' seems to be ran as if based on UID and not EUID.
My question is: Is there an elegant way that doesn't require, uploading binaries, changing /etc/shadow or /etc/passwd to switch the uid to 0 as well, now that we have euid=0? It would also be great if the method works natively and doesn't assume that specific programs like gcc, for example, exsist.
So far I only managed to think out python -c 'import pty; import os; os.setuid(0); pty.spawn("/bin/bash")' which is fairly nice, but assumes that there is python installed on the system. Any better suggestion?
setreuid()there too. But if you do end up with a shell with UID=1000, EUID=0, the question is a bit about what counts as standard or "native" tools. Perl is installed by default on Debian, and it can be used here, e.g.perl -MEnglish -e '$UID = 0; $ENV{PATH} = "/bin:/usr/bin:/sbin:/usr/sbin"; exec "/bin/bash"'