♨️Kernel Exploits

Introduction

The kernel is a component of the operating system that forms the core and has complete control over everything that happens in the system. Therefore, exploiting a kernel vulnerability will almost always result in a complete system compromise.

Kernel exploits affect a specific version of the kernel or operating system and are typically executed locally on the target computer to elevate root privileges. Identify operating system and kernel information

more infos here:

Identifying OS & Kernel Information

The first step is to enumerate current operating system and kernel information to find all available kernel vulnerabilities.

Manual enumeration

The following command can be used to manually enumerate kernel info:

uname -a ; lsb_release -a; cat /proc/version /etc/issue /etc/*-release; hostnamectl | grep Kernel

Or simply:

uname -a

Automated enumeration

Automated enumeration scripts such as LinPEAS can be used to enumerate operating system and kernel information as well:

Finding Available Kernel Exploits

The next step is to find out if there are known vulnerabilities affecting the kernel version used by the machine.

Manual Enumeration

SearchSploit can be used to find kernel vulnerabilities. The syntax is as follows:

searchsploit linux kernel x.x.x.x

or you can also just google the version of your kernel with "exploits" at the end:

Automated enumeration

The Linux Exploit Suggester script can be used on the target machine to identify available Kernel Exploits:

Compiling an Exploit

A kernel exploit should always be compiled on the target machine if the machine has GCC or something else installed, as it is more likely to run without problems.

The vulnerability can be compiled with GCC using the following command:

gcc exploit_name.c -o exploit_name

Example with the dirty cow exploit:

From user to root with a simple script ;)

If the machine does not have GCC installed, it can be compiled on the attacker machine, taking note of the system architecture first, using the following syntax:

For x64 bit:

gcc -m64 hello.c -o exploit

For x32 bit:

gcc -m32 hello.c -o exploit

Executing Kernel Exploits

Once proper enumeration steps have been conducted and a suitable exploit has been identified and compiled where necessary, it is time to execute it and attempt to elevate privileges to root.

Manual Exploitation

Once the exploit has been transferred to the victim machine, using tools such as wget or curl, its permissions have to be changed to make it executable. This can be done with the following command:

chmod +x exploit

Transfer a file using HTTP to your victim

On the Victim (Receiving) Machine:

Open a terminal on the victim machine.
Navigate to the directory where you want to save the received file.
Start a simple HTTP server:

python3 -m http.server 8000

Replace 8000 with any available port number.

On the Attacker (Sending) Machine:

Assuming you have a file named example.txt in the current directory, you can use curl or wget to upload it to the victim:

Using curl:

curl -T example.txt http://victim-ip:8000/

Replace victim-ip with the IP address or hostname of the victim, and 8000 with the port number you chose.

Using wget:

wget --method=PUT --body-file=example.txt http://victim-ip:8000/

Again, replace victim-ip with the IP address or hostname of the victim, and 8000 with the port number.

Please note:

This method uses HTTP, and the file transfer is not encrypted. If security is a concern, consider using HTTPS or other secure methods.
Make sure that the firewall on the victim machine allows incoming connections on the chosen port.
After the file transfer is complete, the Python HTTP server on the victim can be stopped by pressing Ctrl+C in the terminal where it's running.

Tools to build your hacking lab:

PreviousInitial Enumeration NextPasswords & File Permissions

Last updated 5 months ago