mongo --host localhost --port 27017
show dbs;
use backup;
show collections;
user
db.user.find()
locate suid files :
Exploiting pkexec suid
Open another terminal to start the required session
echo $$ in Linux prints the process ID (PID) of the current shell
Breakdown :
The initial SSH session as the webdeveloper account encounters an authentication failure with pkexec, resulting in the "No session for cookie" error.
By opening a new SSH session as the webdeveloper account in a separate terminal window, you establish a fresh authentication session.
In the second terminal, the echo $$ command retrieves the Process ID (PID) of the new SSH session. The PID uniquely identifies this session.
Using the pkttyagent command in the second terminal with the -p option and the PID obtained in the previous step, you associate the new SSH session with the PolicyKit authentication agent.
Going back to the first terminal, the pkexec /bin/bash command is executed again. This time, the new authentication session with the associated agent allows successful authentication using the webdeveloper password provided in the second terminal.
As a result, the pkexec command runs successfully, granting root access to the user in the first terminal, and the root flag can be accessed.
Ymir : in my understanding, because polkit run in graphical. which our machine dont have. so it will need pkttyagent where second machine will act like it.
webdeveloper@sky:~$/usr/bin/pkexec /bin/bash
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: webdeveloper
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized