systemctl
Initially I discovered that the /bin/systemctl binary has the SUID bit set, but then I also realized that I was unable to execute the binary while attempting to enumerated time-based processes (cron & systemd timers). It would just error out the permission being denied.
PEAS also has flagged it being a 95%+ privilege escalation vector
www-data@jarvis:/tmp$ ll /bin/systemctlll /bin/systemctl
172K -rwsr-x--- 1 root pepper 171K Feb 17 2019 /bin/systemctlall these did not matter because i as the www-data user, was unable to execute the binary in the first place as its ownership is set to root:pepper
Now that I have moved laterally to the pepper user, I am able to execute the binary
systemctl, by nature, is vulnerable to privilege escalation if it has the SUID bit set to any low privileged user
Unfortunately though, the commands above didn’t work. I will have to find a solution
This worked.
I will be exploiting this to escalate the privilege to root