Linux Privilege Escalation – Kernel Exploits
Introduction
The kernel is a component of the operating system that sits at the core of it, it has complete control over everything that occurs in the system. Because of this, exploiting vulnerabilities in the kernel will pretty much always result in a full system compromise.
Kernel exploits affect a certain version of a kernel or operating system and they are generally executed locally on the target machine in order to escalate privileges to root.
Identifying OS & Kernel Information
The first step required is to enumerate the current operating system and kernel information, in order to find any available kernel exploits.
Manual enumeration
The following command can be used to manually enumerate kernel info:
uname -a ; lsb_release -a; cat /proc/version /etc/issue /etc/*-release; hostnamectl | grep Kernel
Example below in Ubuntu:
As seen from the example above, the current system is running Ubuntu and is using the Linux 5.8.0-38-generic kernel.
Automated enumeration
Automated enumeration scripts such as LinPEAS can be used to enumerate operating system and kernel information as well:
Finding Available Kernel Exploits
The next step is to find out whether there are any known exploits available that affect the kernel version used by the machine.
Manual Enumeration
SearchSploit can be used to find kernel exploits, the syntax is as follows:
searchsploit linux kernel x.x.x.x; searchsploit [OS name & version]
They can then be mirrored with SearchSploit using the following syntax:
searchsploit -m path/to/exploit/xxxx.c
Example below:
A simple Google search can often do the job:
Automated enumeration
The Linux Exploit Suggester script can be used on the target machine to identify available Kernel Exploits
The Linux Exploit Suggester – Next Generation (NES-NG) is a more modern implementation of the above script.
Additionally, the Exploit Suggester Metasploit module can be used to carry out this task, by selecting the module, setting the session and running it:
Compiling the Exploit
If the machine has GCC or other installed, Kernel exploits should always be compiled on the target machine, as it is more likely to run without issues.
The following command can be used to compile exploits with GCC:
gcc exploit.c -o exploit
An example is displayed below:
If the machine does not have GCC installed, it can be compiled on the attacker machine, taking note of the system architecture first, using the following syntax:
For x64 bit:
gcc -m64 hello.c -o exploit
For x32 bit:
gcc -m32 hello.c -o exploit
Executing Kernel Exploits
Once proper enumeration steps have been conducted and a suitable exploit has been identified and compiled where necessary, it is time to execute it and attempt to elevate privileges to root.
Manual Exploitation
Once the exploit has been transferred to the victim machine, using tools such as wget or curl, its permissions have to be changed to make it executable. This can be done with the following command:
chmod +x exploit
Example below:
Once the proper permissions are allocated, it can be simply executed:
Automated Exploitation
There are often Metasploit modules available that will allow to escalate privileges by exploiting known kernel exploit.
These can be used by selecting the exploit and setting the options:
- session to specify the meterpreter session to run the exploit against
- payload to specify the payload type, in this case the Linux reverse TCP shell
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
In this case, the Metasploit counterpart of the same exploit did not work.
Conclusion
Although Kernel Exploits are often an easy way to root, they should be the last resort when conducting a penetration test, as some of them have a risk of breaking the machine and a fair number of them will only run once.