Copy the cookie into the browser again and shortly you should receive a connection to your netcat listener.
Privilege Escalation
Get autocomplete
Victim
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
CVE-2021-3560 is, fortunately, a very easy vulnerability to exploit if the conditions are right. The vuln is effectively a race condition in the policy toolkit authentication system.
Effectively, we need to send a custom dbus message to the accounts-daemon, and kill it approximately halfway through execution (after it gets received by polkit, but before polkit has a chance to verify that it's legitimate -- or, not, in this case).
We will be trying to create a new account called "attacker" with sudo privileges. Before we do so, let's check to see if an account with this name already exists:
Victim
apt list --upgradeable
This attempts to create our new account, and times how long it takes for the command to finish. In the target machine this should be about 11 milliseconds. It took us 13 milliseconds
We now need to take the same dbus message, send it, then cut it off at about halfway through execution. 5 milliseconds tends to work fairly well for this box.
Note: you may need to repeat this a few times with different delays before the account is created.
There is already a TryHackMe room which covers this vulnerability in much more depth , so please complete that before continuing if you haven't already done so as we will not cover the "behind the scenes" of the vuln in nearly as much depth here.
