Priv Escalation

CVE 2021-4034 sudo version

GitHub - ly4k/PwnKit: Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege EscalationGitHub

Following the steps the github has I transferred the PwnKit binary to the machine and ran it, then I was able to get root.

[pablo@sybaris tmp]$ chmod +x PwnKit
chmod +x PwnKit
[pablo@sybaris tmp]$ ./PwnKit 'id'
./PwnKit 'id'
uid=0(root) gid=0(root) groups=0(root),1000(pablo)

Shared Object Hijacking

The second Privilege Escalation is slightly harder. It requires us to exploit the utils.so shared object which is missing within the log-sweeper binary, which runs as root every minute.

Running log-sweeper we can see utils.so is missing.

Since we have write access to /usr/local/lib/dev we can place our shared object there and since it is inside the LD_LIBRARY_PATH the system will try to find utils.so inside of /usr/local/lib/dev.

creating the c file which we will compile into a Shared Object

compiling the c file into a .so file

Great, now we have created a shared object which will give us a reverse shell as soon as executed and placed it in a path where the system will look for and execute it. Now i monitored the processes with pspy64 and waited for a minute or so, eventually the crontab runs and i get a root level shell.

monitoring the processes and seeing my reverse shell getting executed

r00t