Service Exec via sudo reboot
/Practice/Hetemit/5-Privilege_Escalation/attachments/{D39ED06A-2515-478F-94D7-8E20A3F34931}.png)
As previously identified, the cmeeks user is able to modify the pythonapp.service service due to the file’s group ownership.
Additionally, the service is enabled to start on bootup
/Practice/Hetemit/5-Privilege_Escalation/attachments/{D668FF49-F349-41A5-A857-C947301D6D3D}.png)
Given that the cmeeks user has write access to the pythonapp.service file (due to group ownership and permissions) and has the sudo privileges to reboot the system, I can modify the service to run as root and trigger a reboot to execute it in the root security context
Exploitation
/Practice/Hetemit/5-Privilege_Escalation/attachments/Pasted-image-20250205004916.png)
Writing Kali’s public SSH key into the /root/.ssh/authorized_keys file
/Practice/Hetemit/5-Privilege_Escalation/attachments/Pasted-image-20250204233653.png)
Rebooting with the sudo privileges
/Practice/Hetemit/5-Privilege_Escalation/attachments/Pasted-image-20250205005126.png)
System Level Compromise
systemd successfully executed the service file and it wrote the Kali’s public SSH key into the /root/.ssh/authorized_keys file