Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Kernel Exploits

Introduction

The kernel is a component of the operating system that sits at the core of it, it has complete control over everything that occurs in the system. Because of this, exploiting vulnerabilities in the kernel will pretty much always result in a full system compromise.

Kernel exploits affect a certain version of a kernel or operating system and they are generally executed locally on the target machine in order to escalate privileges to root.

Identifying OS & Kernel Information

The first step required is to enumerate the current operating system and kernel information, in order to find any available kernel exploits.

Manual enumeration

The following command can be used to manually enumerate kernel info:

uname -a ; lsb_release -a; cat /proc/version /etc/issue /etc/*-release; hostnamectl | grep Kernel

Example below in Ubuntu:

As seen from the example above, the current system is running Ubuntu and is using the Linux 5.8.0-38-generic kernel.

Automated enumeration

Automated enumeration scripts such as LinPEAS can be used to enumerate operating system and kernel information as well:

Finding Available Kernel Exploits

The next step is to find out whether there are any known exploits available that affect the kernel version used by the machine.

Manual Enumeration

SearchSploit can be used to find kernel exploits, the syntax is as follows:

searchsploit linux kernel x.x.x.x; searchsploit [OS name & version]

They can then be mirrored with SearchSploit using the following syntax:

searchsploit -m path/to/exploit/xxxx.c

Example below:

A simple Google search can often do the job:

Automated enumeration

The Linux Exploit Suggester script can be used on the target machine to identify available Kernel Exploits

The Linux Exploit Suggester – Next Generation (NES-NG) is a more modern implementation of the above script.

Additionally, the Exploit Suggester Metasploit module can be used to carry out this task, by selecting the module, setting the session and running it:

Compiling the Exploit

If the machine has GCC or other installed, Kernel exploits should always be compiled on the target machine, as it is more likely to run without issues.

The following command can be used to compile exploits with GCC:

gcc exploit.c -o exploit

An example is displayed below:

If the machine does not have GCC installed, it can be compiled on the attacker machine, taking note of the system architecture first, using the following syntax:

For x64 bit:

gcc -m64 hello.c -o exploit

For x32 bit:

gcc -m32 hello.c -o exploit

Executing Kernel Exploits

Once proper enumeration steps have been conducted and a suitable exploit has been identified and compiled where necessary, it is time to execute it and attempt to elevate privileges to root.

Manual Exploitation

Once the exploit has been transferred to the victim machine, using tools such as wget or curl, its permissions have to be changed to make it executable. This can be done with the following command:

chmod +x exploit

Example below:

Once the proper permissions are allocated, it can be simply executed:

Automated Exploitation

There are often Metasploit modules available that will allow to escalate privileges by exploiting known kernel exploit.

These can be used by selecting the exploit and setting the options:

  • session to specify the meterpreter session to run the exploit against
  • payload to specify the payload type, in this case the Linux reverse TCP shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

In this case, the Metasploit counterpart of the same exploit did not work.

Conclusion

Although Kernel Exploits are often an easy way to root, they should be the last resort when conducting a penetration test, as some of them have a risk of breaking the machine and a fair number of them will only run once.