The command usr/bin/sudo /usr/bin/journalctl -n5 -u whatever.service prints out the log and exits. But we can't exploit it because journalctl exits right after printing. Our aim is to launch a shell from within the journalctl command. Journalctl uses less command by default to view the log. So we have to find a way to prevent the command from exiting. The trick can be found in the journalctl man page.
man journalctl | grep width -B 1 -A 2
The output is paged through less by default, and long lines are "truncated" to screen width.
The hidden part can be viewed by using the left-arrow and right-arrow
keys. Paging can be disabled; see the --no-pager option and the "Environment" section below.
So if we run this command in a small resized window, it won't exit after printing the log and then we can spawn a shell as root user.
by Iwillgetby on 1/17/20, 2:44 PM
Original source can be found easily online. Link not included because this comes from an online CTF that discourages spoilers.
by lfdominguez on 1/17/20, 8:49 PM
hummm, that's a less "problem", less is a software that allow execute programs with ! command, but not is a systemd problem, with man you can get the same behavior. The problem is the sysadmin that allow to execute that program with sudo.
by Someone on 1/17/20, 8:29 PM
I don’t understand. If you can run
usr/bin/sudo /usr/bin/journalctl
, what stops you from running
usr/bin/sudo /usr/bin/bash
instead?
by zzo38computer on 1/18/20, 12:48 AM
The pager should not automatically be executed. If the user use a pipe then you can use that way instead, rather than putting everything in one program; it work better due to this reason explained.