SUDO Privileges at initctl | Privileges Escalation Technique | Ishara Abeythissa
initctl admit with System Administrators to link & communicate with Upstart. Able to manage user jobs. As example If D-Bus has been configured to allow non privileged users to invoke all Upstart D-Bus methods initctl is able to manage user-jobs.
What happen if you give SUDO privileges at this kind of binary. Let’s see. Remember,most of the time those attack techniques work due to lack of configuration practices on server.
As you can seen in figure 01 initctl own SUDO privileges. Usually initctl works with service configuration file located at /etc/init directory on linux servers. mmmmm. so What if we can inject malicious code into that services. Let’s try
And we can check current status of the services using list command via initctl.
You can see script format in figure 03. Let’s try to inject a code which set SUID permission /bin/bash from that attack can takeover bash shell as root by modifying service “test” (which is customized service, does not come up as default job)
Now let’s restart test service.
Rooted :). Remember this will occur due to bad configuration issues. Hope you enjoy.