SUDO Privileges at initctl | Privileges Escalation Technique | Ishara Abeythissa

initctl admit with System Administrators to link & communicate with Upstart. Able to manage user jobs. As example If D-Bus has been configured to allow non privileged users to invoke all Upstart D-Bus methods initctl is able to manage user-jobs.

What happen if you give SUDO privileges at this kind of binary. Let’s see. Remember,most of the time those attack techniques work due to lack of configuration practices on server.

Figure 01: Check SUDO Priv

As you can seen in figure 01 initctl own SUDO privileges. Usually initctl works with service configuration file located at /etc/init directory on linux servers. mmmmm. so What if we can inject malicious code into that services. Let’s try

Figure 02: lists of script

And we can check current status of the services using list command via initctl.

Figure 03: List of services

You can see script format in figure 03. Let’s try to inject a code which set SUID permission /bin/bash from that attack can takeover bash shell as root by modifying service “test” (which is customized service, does not come up as default job)

Figure 04: Injecting Code into script

Now let’s restart test service.

Figure 05: Escalated

Rooted :). Remember this will occur due to bad configuration issues. Hope you enjoy.