Home

Day 13 - Coal for Christmas

Date: 13, December, 2020

Author: Dhilip Sanjay S

Kernel Exploits

  • Dirty COW (Copy-On-Write) - CVE-2016-5195

    • A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.

    • An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

  • Dirty COW - C code

    • To get password input using C: getpass("<Prompt message>") in <unistd.h> header.

Solutions

What old, deprecated protocol and service is running?

  • Answer: Telnet

What credential was left for you?

  • Answer: clauschristmas

  • Steps to Reproduce: telnet <MACHINE_IP> <PORT_FROM_NMAP_SCAN>

What distribution of Linux and version number is this server running?

  • Answer: Ubuntu 12.04

  • Steps to Reproduce: cat /etc/*release

Who got here first?

  • Answer: grinch

  • Steps to Reproduce: cat cookies_and_milk.txt

What is the verbatim syntax you can use to compile, taken from the real C source code comments?

  • Answer: gcc -pthread dirty.c -o dirty -lcrypt

What "new" username was created, with the default operations of the real C source code?

  • Answer: firefart

What is the MD5 hash output?

  • Answer: 8b16f00dd3b51efadb02c1df7f8427cc

  • Steps to Reproduce:

    firefart@christmas:/home/santa# cd /root
firefart@christmas:~# touch coal
firefart@christmas:~# tree
.
|-- christmas.sh
|-- coal
`-- message_from_the_grinch.txt

0 directories, 3 files
firefart@christmas:~# tree | md5sum
8b16f00dd3b51efadb02c1df7f8427cc
PreviousDay 12 - Ready, set, elfNextDay 14 - Where's Rudolph?

Last updated