Hacktricks Doas Portable Access

grep -i log /etc/doas.conf # If missing, logs go to syslog by default, but admins may disable it.

Examples:

which doas ls -l /usr/bin/doas

The doas utility proves that reducing code complexity reduces bugs, but it does not eliminate administrator foolishness. The HackTricks methodology for doas is brutally simple:

Only root should be able to read this file to prevent regular users from seeing configuration secrets. hacktricks doas

If you have stumbled upon a machine during a penetration test and found a doas.conf file instead of sudoers , you are in for a treat. The doas utility (originally from OpenBSD) is designed to be smaller, cleaner, and safer. But "safer" does not mean "unbreakable."

If the script runs ls , it will find your malicious ls in /tmp first and execute it as root. grep -i log /etc/doas

If doas is called with unsanitized user input in a script.

Or Python bypass:

The most obvious win. If the configuration allows a user to execute a shell or a writable binary without a password, the game is over.