Doas Privilege Escalation

doas executes arbitrary commands as another user. It's similar to sudo command. doas.conf is interesting to privilege escalation.

Investigation

First of all, search location of doas.conf.

find / -type f -name "doas.conf" 2>/dev/null

Next check the configuration.

doas -C /path/to/doas.conf
doas -C /etc/doas.conf
# or
cat /etc/doas.conf

Execute doas as below.

doas -u root <command> <arg>

Please also refer to GTFOBins to PrivEsc.