Share
## https://sploitus.com/exploit?id=2CF4F040-CBEB-5175-B1C6-B7535DD6C035
### Exploit for CVE-2025-27591
For educational purposes only

Built for HTB machine "Outbound"

### How does CVE-2025-27591 work?
CVE-2025-27591 is a local privilege escalation vulnerability for the Service *Below* in versions prior to 0.9.0.

The service creates a world-writable directory at `/var/log/below` while running with root privileges. When interacting with the Log-File `/var/log/below/error_root.log`
the service checks if the file has `666` permissions. If not, the permissions are getting changed to `666`. Since the directory is world-writable, the user can delete the file `error_root.log` and replace it with a symlink pointing to `/etc/passwd`.
The next time the service tries to interact with `error_root.log` it will instead interact with the symlink pointing to `/etc/passwd`, changing its permissions to `666`. Now `/etc/passwd` is writable by unprivileged users and the root line can be replaced with `root::0:0:root:/root:/bin/bash`, making it possible to change to root without needing a password