# CVE-2025-27591-Below
## 📌 Description
This is a **proof-of-concept (PoC)** exploit for **CVE-2025-27591**, a local privilege escalation vulnerability in the `below` system monitor tool.
The issue arises from unsafe handling of log files (`/var/log/below/error_root.log`) when executed with elevated privileges. By abusing this, an attacker can perform a **symlink attack** and inject a malicious user into `/etc/passwd`, effectively granting root access.
## ⚙️ Affected
- **Binary**: `/usr/bin/below`
- **Requires**: `sudo` permission to run `below record`
- **Tested on**: HTB machine (specific name withheld)
## 🔧 Exploit Steps
1. **Delete** the target log file (if it exists)
2. **Create a symlink**: `/var/log/below/error_root.log → /etc/passwd`
3. **Run the vulnerable command**: `sudo /usr/bin/below record`
4. **Append a root-level user** to `/etc/passwd`
5. **Verify** the user was created
6. **Spawn a root shell** as the injected user
## 🚀 Exploitation Steps
1. **Clone this repository**
```bash
git clone https://github.com/Thekin-ctrl/CVE-2025-27591-Below.git
cd CVE-2025-27591-Below
python3 Exploit.py
## 🙏 Credits
This exploit was inspired by an earlier proof-of-concept by BridgerAlderson, available here:
- https://github.com/BridgerAlderson/CVE-2025-27591-PoC.git
The current version is a simplified and adapted version written by me for educational and practice purposes.
[4.0K] /data/pocs/2796fb38068c14eb74bb1b8cd3b2f91e9c379109
├── [1.5K] Exploit.py
└── [1.4K] README.md
0 directories, 2 files