說明

嘗試使用本地權限提升的漏洞，看看有什麼Eventlog

作法

Pkexec 切換身分執行命令

pkexec允許授權使用者以另一個使用者的身分執行程式。如果未指定使用者名，則程式將以管理超級使用者root身分執行。
https://linux.die.net/man/1/pkexec

本機主機指令
使用root身分下whoami指令

training@training-virtual-machine:~/Desktop$ pkexec --user root whoami
root

本機主機日誌 /var/log/auth.log
通過successfully authenticated後，建立root session 執行命令

Oct  8 20:46:34 training-virtual-machine polkitd(authority=local): Operator of unix-session:3 successfully authenticated as unix-user:training to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:4044:240538 [bash] (owned by unix-user:training)
Oct  8 20:46:34 training-virtual-machine pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Oct  8 20:46:34 training-virtual-machine pkexec[4398]: training: Executing command [USER=root] [TTY=/dev/pts/1] [CWD=/home/training/Desktop] [COMMAND=/usr/bin/whoami]

Pkexec 本機權限升級

使用CVE-2021-4034 的漏洞 - Pkexec 本機權限升級
https://github.com/ly4k/PwnKit

本機主機指令

training@training-virtual-machine:~/Desktop$ ./PwnKit 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

本機主機日誌 /var/log/auth.log
沒有authenticated驗證，並出現SHELL variable was not found錯誤訊息

Oct  8 20:10:01 training-virtual-machine pkexec[4107]: training: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/1] [CWD=/home/training/Desktop] [COMMAND=GCONV_PATH=./.pkexec PATH=GCONV_PATH=. CHARSET=pkexec SHELL=pkexec]

REF

CVE-2021-4034 pkexec 本地提权漏洞利用解析
https://www.anquanke.com/post/id/267774