The command usr/bin/sudo /usr/bin/journalctl -n5 -u whatever.service prints out the log and exits. But we can't exploit it because journalctl exits right after printing. Our aim is to launch a shell from within the journalctl command. Journalctl uses less command by default to view the log. So we have to find a way to prevent the command from exiting. The trick can be found in the journalctl man page.<p>man journalctl | grep width -B 1 -A 2<p><pre><code> The output is paged through less by default, and long lines are "truncated" to screen width.
The hidden part can be viewed by using the left-arrow and right-arrow
keys. Paging can be disabled; see the --no-pager option and the "Environment" section below.
</code></pre>
So if we run this command in a small resized window, it won't exit after printing the log and then we can spawn a shell as root user.
hummm, that's a less "problem", less is a software that allow execute programs with ! command, but not is a systemd problem, with man you can get the same behavior. The problem is the sysadmin that allow to execute that program with sudo.
I don’t understand. If you can run<p><pre><code> usr/bin/sudo /usr/bin/journalctl
</code></pre>
, what stops you from running<p><pre><code> usr/bin/sudo /usr/bin/bash
</code></pre>
instead?
The pager should not automatically be executed. If the user use a pipe then you can use that way instead, rather than putting everything in one program; it work better due to this reason explained.