SUID - pkexec
sudo method
If the binary is allowed to run as superuser by sudo
, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo pkexec /bin/sh
pwnkit method
Here is an article I wrote previously on this: https://www.hackingarticles.in/linux-privilege-escalation-pwnkit-cve-2021-4034/
traitor tool
pkexec can be used for priv esc using traitor as well
pktty method
If pkexec has SUID bit set
Victim machine 1st terminal
Victim machine 2nd terminal
Victim machine 1st tterminal
Dbus method polkit priv esc
Everything to know about is in the blog above. It is a hit and try method. Depends on how fast the system is in sending dbus messages.
Last updated