♨️Kernel Exploits
Introduction
The kernel is a component of the operating system that forms the core and has complete control over everything that happens in the system. Therefore, exploiting a kernel vulnerability will almost always result in a complete system compromise.
Kernel exploits affect a specific version of the kernel or operating system and are typically executed locally on the target computer to elevate root privileges. Identify operating system and kernel information
more infos here:
Identifying OS & Kernel Information
The first step is to enumerate current operating system and kernel information to find all available kernel vulnerabilities.
Manual enumeration
The following command can be used to manually enumerate kernel info:
Or simply:
Automated enumeration
Automated enumeration scripts such as LinPEAS can be used to enumerate operating system and kernel information as well:
Finding Available Kernel Exploits
The next step is to find out if there are known vulnerabilities affecting the kernel version used by the machine.
Manual Enumeration
SearchSploit can be used to find kernel vulnerabilities. The syntax is as follows:
or you can also just google the version of your kernel with "exploits" at the end:
Automated enumeration
The Linux Exploit Suggester script can be used on the target machine to identify available Kernel Exploits:
Compiling an Exploit
A kernel exploit should always be compiled on the target machine if the machine has GCC or something else installed, as it is more likely to run without problems.
The vulnerability can be compiled with GCC using the following command:
Example with the dirty cow exploit:
From user to root with a simple script ;)
If the machine does not have GCC installed, it can be compiled on the attacker machine, taking note of the system architecture first, using the following syntax:
For x64 bit:
For x32 bit:
Executing Kernel Exploits
Once proper enumeration steps have been conducted and a suitable exploit has been identified and compiled where necessary, it is time to execute it and attempt to elevate privileges to root.
Manual Exploitation
Once the exploit has been transferred to the victim machine, using tools such as wget or curl, its permissions have to be changed to make it executable. This can be done with the following command:
Transfer a file using HTTP to your victim
On the Victim (Receiving) Machine:
Open a terminal on the victim machine.
Navigate to the directory where you want to save the received file.
Start a simple HTTP server:
Replace 8000
with any available port number.
On the Attacker (Sending) Machine:
Assuming you have a file named example.txt
in the current directory, you can use curl
or wget
to upload it to the victim:
Using curl
:
Replace victim-ip
with the IP address or hostname of the victim, and 8000
with the port number you chose.
Using wget
:
Again, replace victim-ip
with the IP address or hostname of the victim, and 8000
with the port number.
Please note:
This method uses HTTP, and the file transfer is not encrypted. If security is a concern, consider using HTTPS or other secure methods.
Make sure that the firewall on the victim machine allows incoming connections on the chosen port.
After the file transfer is complete, the Python HTTP server on the victim can be stopped by pressing
Ctrl+C
in the terminal where it's running.
Tools to build your hacking lab:
Last updated