Terminal size matters, hackers get root in unusual way
The command usr/bin/sudo /usr/bin/journalctl -n5 -u whatever.service prints out the log and exits. But we can't exploit it because journalctl exits right after printing. Our aim is to launch a shell from within the journalctl command. Journalctl uses less command by default to view the log. So we have to find a way to prevent the command from exiting. The trick can be found in the journalctl man page.
man journalctl | grep width -B 1 -A 2
The output is paged through less by default, and long lines are "truncated" to screen width.
The hidden part can be viewed by using the left-arrow and right-arrow
keys. Paging can be disabled; see the --no-pager option and the "Environment" section below.
So if we run this command in a small resized window, it won't exit after printing the log and then we can spawn a shell as root user.
7 comments
[ 2.8 ms ] story [ 25.6 ms ] thread