Category: Linux Privilege Escalation

Posted on by

Dirty Cow vulnerability: Beginners guide

Hello, aspiring ethical hackers. This blogpost is a beginner’s guide to Dirty COW vulnerability. Assigned CVEID, CVE-2016-5195, this vulnerability affects Linux kernel version 2.6.21 since 2007. To exploit this vulnerability, the hackers need to first gain initial access on the target system.

What is this Dirty COW vulnerability?

Dirty COW is a Linux privilege escalation vulnerability which is caused due to a race condition in the way the Linux kernel handled copy-on-write functions. The name Dirty COW came from this Copy-On-Write (COW). By exploiting this vulnerability, an unprivileged user can gain access to the read-only memory mapping subsequently elevating their privileges on the system.

Which kernels are vulnerable?

All the Linux kernels from versions 2.x to 4.x before 4.8.7 are vulnerable to this Dirty COW vulnerability. Let’s demonstrate this vulnerability on a Ubuntu 12 system. To exploit this vulnerability, the hackers need to first gain initial access on the target system.

Download this exploit from Github and extract its contents. It is a C program as shown below.

Compile this code using inbuilt GCC compiler in Ubuntu system. This exploit creates a new user named ‘firefart’ with root privileges on the target system by writing to the /etc/passwd file. Usually, creating an user with root privileges in not possible for low privileged users on Linux systems. But this is a privilege escalation vulnerability.

Now, let’s execute the exploit as shown below. It will prompt you to create a new password for the new user “firefart” it is creating.

Login as the newly created user to see if the exploit was successful in exploiting the vulnerability and creating the news user “firefart”.

As you can see, a new user named “firefart” has been created on the target system with root privileges.

Posted on by

Linux privilege escalation with SUID binaries

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about various methods of Linux privilege escalation. In this article, you will learn in detail how to elevate privileges on Linux using SUID binaries.

What is SUID?

SUID is a shortcut for Set User ID. This is a special permission that can be assigned to Linux executables. When a SUID permission is assigned to a executable or binary, it runs with the privileges of the file’s owner when executed, rather than the user who executed it. For example, when a user with root privileges assigns SUID permission to a Linux binary and a user with low privileges executes that binary, it runs with root privileges and not with privileges of that user with low privileges.

This can be exploited to gain a root shell or perform actions with root privileges on the target Linux system. With the concept of SUID understood, let’s see how binaries with this bit set can be found. One way to find them is by using find command as shown below.

find / -perm -u=s -type f 2>/dev/null
setuid privilege escalation


Here are some examples of gaining root privileges by exploiting Linux binaries with SUID bit set.

1. bash

2. csh

3. env

4. nice

5. node

6. setarch

7. stdbuf

8. strace

9. taskset

10. tclsh

11. time

12. timeout

13. unshared

14. xargs

15. php

16. expect

17. find

18. python

19. flock

20. gdb

21. ionice

22. logsave

23. make

These are some examples of Linux privilege escalation by exploiting SETUID bit. Next, learn how to elevate privileges on a Linux system using cron jobs.

Posted on by

Linux privilege escalation using cron Jobs

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about Linux privilege escalation. In this article, you will learn how to exploit cron jobs in Linux to elevate privileges on a Linux system.

What are cron jobs?

Cron is a job scheduler in Unix like operating systems like Linux and macOS. It allows users to schedule commands or scripts to run automatically at specific intervals or at fixed times and dates. These scheduled tasks are called as “cron jobs”. 

They are similar to Task Scheduler in Windows. For example, you have a Linux server and want to clean cache regularly once a day. You can do this manually everyday or schedule a job to do this daily without your intervention. Here’s where cron jobs assist you. You can assign a job in cron. Sometimes these jobs are assigned with root privileges and these can be exploited to gain root privileges. Let’s see it practically.

For this article, we will be using a Linux target system on which we already gained a shell. Then I run the PE.sh or Linux exploit suggester script on this system to find ways to elevate privileges. As I scroll down the output of our PE.sh file, we can see our target has some cron jobs set.

linux privilege escalation with cron jobs

As you can see in the above images, we can set cron jobs monthly, daily or hourly. But our job here is to not schedule cron jobs. It is to exploit them. As we scroll down further, we can see the format of a cron job.

In the above image, you can see the exact format of a cron job. It is minutes first, followed by hours, day of month, month and day of week. We can see a cron job named /opt/new_year.sh that is scheduled to run at the 00:00 time of first day of the first month of every year. That is the occasion of New Year.

But what does * * * * * mean? It means these cron jobs are scheduled to run every minute of every hour of every day of the week (i.e daily) every month. That typically means these jobs run each and every minute. The important thing to notice here is that all these jobs are running as user “root”.

Let’s manipulate one of these scripts. Let’s say /opt/my_script.sh. We have a SETUID bit set on “dash” shell, one of the shells installed on the target system. This can be seen in the image below.

For this article, we will remove the SETUID bit set on the binary using cron jobs. Let’s edit the my_script.sh file with a command given below.

chmod u-s /bin/dash

What this command does is, it will remove the SETUID bit set on the binary. Wait for one minute and check the /bin/dash command.

As you can see in the above image, the SETUID bit on the binary is now gone. Not just that, we can add new users on the target system using cron hobs as shown below.

That’s how cron jobs can be exploited for linux privilege escalation. Next, learn how to exploit SETUID bits to elevate privileges on a Linux system.