systemctl
As discovered previously, the current user has a sudo privilege do execute a systemctl command as the root user
I initially thought that I wouldn’t be able to directly exploit the binary and need to find a way around to exploit that.
Except, I wasn’t paying enough attention.
systemctl is one of those binary that invokes and resorts to the default pager if the terminal space is not sufficient to display the entire output
As seen earlier, executing the sudo command displays the output and that’s it
That’s because the current terminal has a sufficient space to do so.
puma@sau:~$ stty columns 20 rows 20However, if I change the size..
It has indeed invoked and resorted to the default pager, less
From there, I just need to spawn a shell
System Level Compromise