In this post, I would like to share a walkthrough of the Pwnkit from Tryhackme

If you want to play this room, you can click over here

Introduction to CVE-2021-4043 (pwnkit)

Those vulnerabilities have been discovered within all versions of Policy Toolkit or also known as Polkit package. It has been released around 2009.

Why it’s dangerous to all?

The victim’s device will allow any unprivileged access to attacker where they can easily gain access of full administrative all Linux machines that affected.

However, the polkit has been normally installed by default with mostly all Linux. As a result, it has been spread all around the world.

As others should be aware, it can be considered as a Local Privilege Escalation that will affect all mainstream Linux systems around the world virtually.

Exploitation

Firstly, we need to access the machine via ssh service with the provided credentials.

The exploit can be found within the pwnkit folder.

There’s a C programming file that we can use to compile and exploit for further escalation.

We are required to compile it using the gcc command and save it as any file we like.

For example, gcc cve-2021-4034-poc.c -o darknite

Next, we should be able to use that compiled file to execute where it will give us a root shell.

As a result, we are getting a root shell-like shown within the screenshot above.

For us to get a nice shell interface, we can run the command “bash -i” which will give us a proper shell at least.

As usual, we need to access the root directory so that we can able to read the root flag.

Finally, we can submit the root flag on Tryhackme platform so that we can complete the room.

Remedition of the pwnkit vulnerability

There are a lot of methods to fix the vulnerability but i will show you one method which you need to execute the command “sudo chmod 755 `which pkexec`

The next thing we know, the exploit cannot be executed anymore on the Linux machine

Leave a Reply

Your email address will not be published.