Doas Privilege Escalation

doas executes arbitrary commands as another user. It's similar to sudo command. doas.conf is interesting to privilege escalation.

First of all, search location of doas.conf.

find / -type f -name "doas.conf" 2>/dev/null
Copied!

Next check the configuration.

doas -C /path/to/doas.conf
doas -C /etc/doas.conf
# or
cat /etc/doas.conf
Copied!

Execute doas as below.

doas -u root <command> <arg>
Copied!

Please also refer to GTFOBins to PrivEsc.

Last updated 2 years ago