code/privilege-escalation/linux/binary/privesc-agetty.yaml

id: privesc-agetty

info:
  name: agetty - Privilege Escalation
  author: bobakabill
  severity: high
  description: |
    The agetty command in Linux is used to invoke the /bin/login command for a given user. If the SUID bit is set, it can be used to gain a high-privilege s>
  reference:
    - https://gtfobins.github.io/gtfobins/agetty/
  metadata:
    verified: true
    max-request: 2
  tags: code,linux,find,privesc,local

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
     find /bin /sbin /usr/bin /usr/sbin /usr/local/sbin -type f -name agetty 2>/dev/null -perm /4000
     find /bin /sbin /usr/bin /usr/sbin /usr/local/sbin -type f -name agetty 2>/dev/null -perm /6000

    matchers:
      - type: word
        words:
          - "agetty"
# digest: 4b0a00483046022100996929fcb6fe3e9d31e7a3166a54a1f08b2c301c1297b1be8b64c03439e0163e022100db37a14dc4a3b8d526219634231a408a6692216f32d2b4a2eba5a4a6f416de52:922c64590222798bb761d5b6d8e72950
Create privesc-agetty.yaml Added template to detect potential privesc with agetty binary by checking for SUID bit. Would have used similar method to other privesc checks, but popping a shell and passing a command felt like the wrong way to go about it. 2024-07-25 17:20:21 -04:00			`id: privesc-agetty`

			`info:`
			`name: agetty - Privilege Escalation`
			`author: bobakabill`
			`severity: high`
			`description: \|`
			`The agetty command in Linux is used to invoke the /bin/login command for a given user. If the SUID bit is set, it can be used to gain a high-privilege s>`
			`reference:`
			`- https://gtfobins.github.io/gtfobins/agetty/`
			`metadata:`
			`verified: true`
Update privesc-agetty.yaml 2025-01-10 16:23:49 +05:30			`max-request: 2`
Create privesc-agetty.yaml Added template to detect potential privesc with agetty binary by checking for SUID bit. Would have used similar method to other privesc checks, but popping a shell and passing a command felt like the wrong way to go about it. 2024-07-25 17:20:21 -04:00			`tags: code,linux,find,privesc,local`

			`self-contained: true`
			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
Update privesc-agetty.yaml 2025-01-10 16:23:49 +05:30			`find /bin /sbin /usr/bin /usr/sbin /usr/local/sbin -type f -name agetty 2>/dev/null -perm /4000`
			`find /bin /sbin /usr/bin /usr/sbin /usr/local/sbin -type f -name agetty 2>/dev/null -perm /6000`
Create privesc-agetty.yaml Added template to detect potential privesc with agetty binary by checking for SUID bit. Would have used similar method to other privesc checks, but popping a shell and passing a command felt like the wrong way to go about it. 2024-07-25 17:20:21 -04:00
			`matchers:`
			`- type: word`
			`words:`
Update privesc-agetty.yaml 2025-01-10 16:23:49 +05:30			`- "agetty"`
chore: sign templates 🤖 2025-01-13 07:44:36 +00:00			`# digest: 4b0a00483046022100996929fcb6fe3e9d31e7a3166a54a1f08b2c301c1297b1be8b64c03439e0163e022100db37a14dc4a3b8d526219634231a408a6692216f32d2b4a2eba5a4a6f416de52:922c64590222798bb761d5b6d8e72950`