
Terminal size matters, hackers get root in unusual way - Iwillgetby
The command usr&#x2F;bin&#x2F;sudo &#x2F;usr&#x2F;bin&#x2F;journalctl -n5 -u whatever.service prints out the log and exits. But we can&#x27;t exploit it because journalctl exits right after printing. Our aim is to launch a shell from within the journalctl command. Journalctl uses less command by default to view the log. So we have to find a way to prevent the command from exiting. The trick can be found in the journalctl man page.<p>man journalctl | grep width -B 1 -A 2<p><pre><code>        The output is paged through less by default, and long lines are &quot;truncated&quot; to screen width. 
        The hidden part can be viewed by using the left-arrow and right-arrow
        keys. Paging can be disabled; see the --no-pager option and the &quot;Environment&quot; section below.
</code></pre>
So if we run this command in a small resized window, it won&#x27;t exit after printing the log and then we can spawn a shell as root user.
======
Iwillgetby
Original source can be found easily online. Link not included because this
comes from an online CTF that discourages spoilers.

------
lfdominguez
hummm, that's a less "problem", less is a software that allow execute programs
with ! command, but not is a systemd problem, with man you can get the same
behavior. The problem is the sysadmin that allow to execute that program with
sudo.

------
Someone
I don’t understand. If you can run

    
    
      usr/bin/sudo /usr/bin/journalctl
    

, what stops you from running

    
    
      usr/bin/sudo /usr/bin/bash
    

instead?

~~~
a_bored_husky
Some users can have permission to execute specific commands through sudo.

~~~
JdeBP
Of course, when one can just add the user account to the systemd-journal
group, it is questionable why one would grant access via sudo.

------
zzo38computer
The pager should not automatically be executed. If the user use a pipe then
you can use that way instead, rather than putting everything in one program;
it work better due to this reason explained.

