Dbus-1.0 Exploit ✓

busctl list This returns a list of unique IDs (like :1.123 ) and well-known names (like org.freedesktop.NetworkManager ).

Next time you land a low-privilege shell on a Linux machine, don’t run linpeas immediately. Instead, run busctl list and ask yourself: Which of these services trusts me more than it should? The answer might just be your golden ticket. Disclaimer: This article is for educational purposes only. Always obtain explicit permission before testing any system. dbus-1.0 exploit

To see who can talk to a service, inspect its policy: busctl list This returns a list of unique IDs (like :1

# Craft a method call to a method that normally requires admin # but is mis-policy'd: "SetProperty" on the adapter to force discoverable msg = Message( destination='org.bluez', path='/org/bluez/hci0', interface='org.freedesktop.DBus.Properties', member='Set', signature='ssv', body=['org.bluez.Adapter1', 'Discoverable', Variant('b', True)] ) The answer might just be your golden ticket

busctl --system tree org.bluez We find /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX – a connected device.

If the service does: sprintf(command, "rsync -av %s %s:/backup/", source_path, dest_host) An attacker sends: source_path = "/etc/shadow; id" (type STRING ) and dest_host = "localhost" .