As I continue to learn penetration testing with different labs and scenarios, my exploit research of Linux Kernels usually returns a hit for Dirty Cow. So, I thought I would take the time to learn this exploit and share my notes.
Scenario:
I had recently obtained a shell with another Linux vulnerability. However, I needed to escalate privileges in order to pwn the system.
Performing some quick information gathering and enumeration, I was able to obtain the Linux OS and Kernel versions.
Research:
Opening up a browser and searching exploits for the Kernel version, I stumbled upon the site of https://dirtycow.ninja.
This site was very helpful and contained multiple scripts stored on GitHub. Based on my own humor, the FireFart link caught my eye. So, I clicked on the link and performed a quick copy of the code.
Exploit:
Returning to my Kali system, I opened Gedit and pasted the code into a new file called dirty.c. Next, I compiled the code based on the recommendations provided within the comments of the code.
Note: the following link provided a quick tutorial on how to customize dirty.c https://www.youtube.com/watch?v=0BHFT8YkApI
As stated earlier, I already had a shell and I used it to upload the newly compiled dirty script to the target system.
Once the script was on the target, I dropped into an OS shell and changed the dirty script permissions to execute.
At this point, I launched dirty and pressed the Enter/Return key to create a null password when prompted.
Note: depending on the system’s resources, the script may take several minutes prior to completing.
Once the script completed, I issued the su firefart command. However, I received a terminal error.
Performing a little research, it turned out that I needed a true terminal session in order for the script to successfully launch. So, I used Python to spawn a bash shell.
Once again, I issued the su firefart command and this time I was successful.
To validate that I had elevated privileges, I issued the whoami and id commands.
And for grins, I decided to read the /etc/shadow file and store the contents for later use.
Cleanup:
To return the system to its original state, I simply issued the mv command to restore the backup copy of the passwd file. Once restored, I exited out of the shell, with elevated privileges, and then tried to elevate privileges again. This time it failed, as expected.
Note: I was able to re-exploit the system after the cleanup process was completed.
References:
Dirty Cow (2016) http://dirtycow.ninja
FireFart and g0tmi1k (2017) https://github.com/FireFart/dirtycow/blob/master/dirty.c
Yahya 1337 (2017) https://www.youtube.com/watch?v=0BHFT8YkApI
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
