In this post, I would like to share a walkthrough of the Pwnkit from Tryhackme
If you want to play this room, you can click over here
Introduction to CVE-2021-4043 (pwnkit)
Those vulnerabilities have been discovered within all versions of Policy Toolkit or also known as Polkit package. It has been released around 2009.
Why it’s dangerous to all?
The victim’s device will allow any unprivileged access to attacker where they can easily gain access of full administrative all Linux machines that affected.
However, the polkit has been normally installed by default with mostly all Linux. As a result, it has been spread all around the world.
As others should be aware, it can be considered as a Local Privilege Escalation that will affect all mainstream Linux systems around the world virtually.
Exploitation
Firstly, we need to access the machine via ssh service with the provided credentials.
The exploit can be found within the pwnkit folder.
There’s a C programming file that we can use to compile and exploit for further escalation.
We are required to compile it using the gcc command and save it as any file we like.
For example, gcc cve-2021-4034-poc.c -o darknite
Next, we should be able to use that compiled file to execute where it will give us a root shell.
As a result, we are getting a root shell-like shown within the screenshot above.
For us to get a nice shell interface, we can run the command “bash -i” which will give us a proper shell at least.
As usual, we need to access the root directory so that we can able to read the root flag.
Finally, we can submit the root flag on Tryhackme platform so that we can complete the room.
Remedition of the pwnkit vulnerability
There are a lot of methods to fix the vulnerability but i will show you one method which you need to execute the command “sudo chmod 755 `which pkexec`“
The next thing we know, the exploit cannot be executed anymore on the Linux machine
No responses yet