Priv Escalation
CVE 2021-4034 sudo version
Following the steps the github has I transferred the PwnKit binary to the machine and ran it, then I was able to get root.
[pablo@sybaris tmp]$ chmod +x PwnKit
chmod +x PwnKit
[pablo@sybaris tmp]$ ./PwnKit 'id'
./PwnKit 'id'
uid=0(root) gid=0(root) groups=0(root),1000(pablo)Shared Object Hijacking
The second Privilege Escalation is slightly harder. It requires us to exploit the utils.so shared object which is missing within the log-sweeper binary, which runs as root every minute.
Running log-sweeper we can see utils.so is missing.
Since we have write access to /usr/local/lib/dev we can place our shared object there and since it is inside the LD_LIBRARY_PATH the system will try to find utils.so inside of /usr/local/lib/dev.
creating the c file which we will compile into a Shared Object
compiling the c file into a .so file
Great, now we have created a shared object which will give us a reverse shell as soon as executed and placed it in a path where the system will look for and execute it. Now i monitored the processes with pspy64 and waited for a minute or so, eventually the crontab runs and i get a root level shell.
monitoring the processes and seeing my reverse shell getting executed
r00t
Last updated