InfoSec LAB

puma

Checking for sudo privileges of the puma user after completing some basic enumeration

puma@sau:~$ sudo -l
matching defaults entries for puma on sau:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
user puma may run the following commands on sau:
    (all : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

The user is able to execute the command, /usr/bin/systemctl status trail.service, as the root user without getting prompted for password PEAS also picked this up

systemctl

According to GTFObins, systemctl binary can be abused for privilege escalation if set to run as superuser

However, the complete sudo command includes some arguments. So I’d have to find a way to exploit it

WRONG

Because systemctl is designed to invoke and resort to the default pager in case the terminal space is not sufficient to display the output, I can leverage this to get to root Moving on to the Privilege Escalation phase

InfoSec LAB

Explorer

Sau_sudo_privileges

puma

systemctl

Interactive Graph View

Table of Contents

Backlinks