# Intro - Kernel level exploits are known for multiple Linux kernel versions - These leverage vulns in the kernel to execute code with root privs - One well-known example is [Dirty COW](https://github.com/dirtycow/dirtycow.github.io) (CVE-2016-5195) # Kernel and Distro Version Enum - Issue the below command to view details on Linux distro version ```bash cat /etc/lsb-release ``` - Simply issue the below to discover kernel version and Google ```bash uname -s ``` - Assuming we are running on Linux Kernel 4.4.0-116, after a quick search, we see  [this](https://vulners.com/zdt/1337DAY-ID-30003) exploit PoC # Exploit Linux Kernel 4.4.0-116 - Use `wget` or the like like to pull down the above PoC - Then compile the exploit and make executable ```bash gcc kernel_exploit.c -o kernel_exploit && chmod +x kernel_exploit ``` - Execute the exploit and check perms ```bash ./kernel_exploit whoami root ``` --- # Exercise - `ping` test ![[images/Pasted image 20260210194603.png]] - same VM as last section - `ssh` into target box with give creds - light internal enum ![[images/Pasted image 20260210194548.png]] - enum kernel and distro version ![[images/Pasted image 20260210194630.png]] - search for exploit poc for linux kernel version 4.15.0-76 and ubuntu 18.04.6 > CVE-2021-3493![[images/Pasted image 20260210195303.png]] - `wget` exploit on Kali ![[images/Pasted image 20260210195411.png]] - compile exploit > hella errors ![[images/Pasted image 20260210195536.png]] - try a different PoC ![[images/Pasted image 20260210195720.png]] - compile `exploit.c` > no errors ![[images/Pasted image 20260210195740.png]] - move to target box ![[images/Pasted image 20260210195912.png]]![[images/Pasted image 20260210195926.png]] - make `exploit` executable and run > library error ![[images/Pasted image 20260210200034.png]] - we need to use a custom `glibc` during compilation before we can run the exploit successfully ![[images/Pasted image 20260210200530.png]] ## Fix to `glibc` mismatch between target and Kali box 1. Create the `.c` file on the target and compile there 2. Spin up a Docker container on Kali with a version of Alpine or Ubuntu that natively includes `glibc ver 2.34` - Ubuntu version 21.10 (Impish Indri) shipped with `glibc ver 2.34` ```bash docker pull ubuntu:impish docker run -it -v /path/on/host:/path/in/container ubuntu:impish ``` OR, use `docker compose` ```yaml version: '3.8' services:   impish:     image: ubuntu:impish     volumes:       - ./my-data:/data     command: /bin/bash ```