# Pwnkit: CVE-2021-4034

{% embed url="<https://tryhackme.com/room/pwnkit>" %}
<https://tryhackme.com/room/pwnkit>
{% endembed %}

| Room Attributes       | Value                                                                  |
| --------------------- | ---------------------------------------------------------------------- |
| Subscription Required | <mark style="color:green;background-color:green;">False</mark> \[Free] |
| Type                  | Walkthrough                                                            |
| Difficulty            | <mark style="color:blue;background-color:blue;">Info</mark>            |
| Tags                  | Polkit, Pwnkit, Linux, CVE-2021-4034                                   |

## Task 1 - <mark style="color:green;background-color:green;">Info</mark> Introduction and Deploy!

### Deploy the machine by clicking on the green "Deploy" button at the top of this task!

{% hint style="success" %}
No answer needed
{% endhint %}

## Task 2 - <mark style="color:purple;background-color:purple;">Tutorial</mark> Background

### Is Pwnkit exploitable remotely (Aye/Nay)?

<details>

<summary>Reveal Flag <span data-gb-custom-inline data-tag="emoji" data-code="1f6a9">🚩</span></summary>

:triangular\_flag\_on\_post:`Nay`

</details>

### In which Polkit utility does the Pwnkit vulnerability reside?

<details>

<summary>Reveal Flag <span data-gb-custom-inline data-tag="emoji" data-code="1f6a9">🚩</span></summary>

:triangular\_flag\_on\_post:`pkexec`

</details>

## Task 3 - Practical Exploitation

### Read through the `cve-2021-4034-poc.c` file and try to understand how it works. See if you can match this up with the [Qualys security advisory](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt) and the explanation given in the previous task!

{% hint style="success" %}
No answer needed
{% endhint %}

### Exploit the vulnerability! What is the flag located at `/root/flag.txt`?

<details>

<summary>Reveal Flag <span data-gb-custom-inline data-tag="emoji" data-code="1f6a9">🚩</span></summary>

:triangular\_flag\_on\_post:`THM{CONGRATULATIONS-YOU-EXPLOITED-PWNKIT}`

</details>

### **\[Bonus Question — Optional]** Using the [Qualys advisory](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt) and the [repository](https://github.com/arthepsy/CVE-2021-4034) linked in the task, try to write your own version of the Pwnkit exploit.

{% hint style="success" %}
No answer needed
{% endhint %}

## Task 4 - Tutorial Remediations

### Read the remediations task

{% hint style="success" %}
No answer needed
{% endhint %}

### Patch the vulnerability on any Linux devices that you manage!

{% hint style="success" %}
No answer needed
{% endhint %}

## Task 5 - Info Conclusion

### I understand and can use Pwnkit!

{% hint style="success" %}
No answer needed
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thmflags.gitbook.io/thm-walkthroughs/difficulty-info/cve-walkthroughs/pwnkit-cve-2021-4034.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.