🐧
Sybaris
  • Sybaris
    • Summary
  • Enumeration
    • TCP
    • UDP
    • Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • FeroxBuster
      • Whatweb
    • Other Services
      • FTP
      • SSH
      • Redis
  • Exploitation
  • Priv Escalation
  • Notes
Powered by GitBook
On this page
  • CVE 2021-4034 sudo version
  • Shared Object Hijacking

Priv Escalation

PreviousExploitationNextNotes

Last updated 2 years ago

CVE 2021-4034 sudo version

Following the steps the github has I transferred the PwnKit binary to the machine and ran it, then I was able to get root. 

[pablo@sybaris tmp]$ chmod +x PwnKit
chmod +x PwnKit
[pablo@sybaris tmp]$ ./PwnKit 'id'
./PwnKit 'id'
uid=0(root) gid=0(root) groups=0(root),1000(pablo)

Shared Object Hijacking

The second Privilege Escalation is slightly harder. It requires us to exploit the utils.so shared object which is missing within the log-sweeper binary, which runs as root every minute.

Running log-sweeper we can see utils.so is missing.

Since we have write access to /usr/local/lib/dev we can place our shared object there and since it is inside the LD_LIBRARY_PATH the system will try to find utils.so inside of /usr/local/lib/dev.

compiling the c file into a .so file

Great, now we have created a shared object which will give us a reverse shell as soon as executed and placed it in a path where the system will look for and execute it. Now i monitored the processes with pspy64 and waited for a minute or so, eventually the crontab runs and i get a root level shell.

r00t

creating the c file which we will compile into a Shared Object

monitoring the processes and seeing my reverse shell getting executed

GitHub - ly4k/PwnKit: Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege EscalationGitHub
Logo