In this post, we went over a Linux box from Cyberseclabs where to demonstrated the ability to gain root access by exploiting misconfigured Linux services which was in that case the systemctl service.

When running Linux services such as systemctl with weak permissions or misconfigured settings, it can be used to perform Linux local privilege escalation. In the video below we demonstrate that with a lab machine from cyberseclabs

Initial Reconnaissance: Finding the Way In

My first step was to scan the machine, which revealed two open ports: 22 (SSH) and 80 (HTTP). Since I didn’t have any SSH credentials, I focused on the web server.

The website was running a Content Management System (CMS) called “CMS Made Simple,” version 2.2.4. I found the admin page and tried some default credentials, but no luck.

SQL Injection for the Win

I used searchsploit to look for exploits for this specific version of the CMS and found a promising SQL injection exploit. I downloaded the Python 2 exploit and ran it against the target URL with the rockyou.txt wordlist. After a little while, it successfully cracked the credentials, giving me the username “david” and the password “punisher.”

With these credentials, I was able to log into the admin panel.

Getting a Shell: The File Upload Vulnerability

Inside the admin panel, I found a “File Manager” that allowed me to upload files. This was my chance to get a shell on the machine.

I used msfvenom to generate a PHP reverse shell payload. I had a little trouble with the output format at first, but I sorted it out by changing it to “raw.”

The server was filtering file extensions, so I had to get creative. I changed the payload’s extension from .php to .phtml to bypass the filter, and it uploaded successfully.

I set up a Metasploit handler to listen for the connection, navigated to the URL of my uploaded payload, and boom! I had a Meterpreter session.

Privilege Escalation: Abusing systemctl

Now it was time to get root. I started by looking for SUID binaries on the system and found that systemctl was running as root. This was my ticket to the top.

I consulted GTFOBins, a great resource for Linux privilege escalation techniques, and found a method for abusing systemctl with the SUID bit set. The trick is to create a custom service file that systemctl will execute as root.

I created a service file with a bash reverse shell payload that would connect back to my machine. I then hosted the file on a Python HTTP server and downloaded it to the target machine’s /tmp directory.

I set up a Netcat listener on my machine, moved the service file to the /etc/systemd/system/ directory, and then enabled and started the service.

And just like that, I got a reverse shell connection on my Netcat listener, and the id command confirmed that I had root privileges.

Technical Commands Used:

Here are the commands I used throughout this process:

  • clear
  • searchsploit
  • cd
  • sudo python
  • sudo nano payload
  • sudo msfvenom
  • use exploit
  • set payload
  • set AutoRunScript
  • getuid
  • shell
  • find
  • ls -la
  • cat
  • python -m SimpleHTTPServer
  • wget
  • pwd
  • ls
  • nc -lvp
  • systemctl
  • mv

Video Walkthrough

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles