search

Service Hijacking

Service hijacking is a privilege escalation technique that targets misconfigured or weakly protected systemd service units. When a low-privileged user is allowed to reload or restart a service running as root, and has control over the unit file or any executable referenced by it, arbitrary code execution as root becomes possible.

This scenario commonly arises when service unit files or scripts are world-writable or owned by the user but executed with elevated privileges. Hijacking a service involves modifying either the service configuration or its executable to trigger payload execution during a systemctl restart.

# Check user's permissions
$ sudo -l

User x7331 may run the following commands on kali:
    (ALL) NOPASSWD: /bin/systemctl restart backup.service
    (ALL) NOPASSWD: /bin/systemctl daemon-reload
    (ALL) !/bin/bash, !/bin/sh, !/bin/su, !/usr/bin/sudo

# Check the service's status and the service file path
$ systemctl status backup.service

 backup.service - Backup Service
     Loaded: loaded (/etc/systemd/system/backup.service; enabled; preset: enabled)
     Active: inactive (dead)
     
# Check the service file's permissions
$ ls -la /etc/systemd/system/backup.service
-rw-rw-r-- 1 x7331 x7331 193 Apr 14 17:53 /etc/systemd/system/backup.service

# Review the contents of the file
$ cat /etc/systemd/system/backup.service

[Unit]
Description=Backup Service
<SNIP>

[Service]
Type=simple
ExecStart=/usr/local/bin/backup.sh # This is not writable
User=root
Group=root
<SNIP>
PreviousServicesNextrpc.py

Last updated