Kernel Enumeration

intermediate25 minWriteup

Identifying kernel version and finding exploits

Learning Objectives

  • Identify kernel version
  • Find kernel exploits
  • Use searchsploit
  • Evaluate exploit reliability

Kernel exploits target vulnerabilities in the Linux kernel itself. They're the "nuclear option" - if successful, you get root regardless of any other security controls. But they're risky and should be a last resort.

Think of kernel exploits like hacking the building's foundation. You bypass all the locks, guards, and cameras by exploiting a flaw in the very structure everything sits on. Powerful, but you might also bring down the whole building.

System Stability Risk

Kernel exploits can crash the system. In CTFs, this loses your shell. In real engagements, this alerts defenders. Always try other methods first (sudo, SUID, cron, etc.) before attempting kernel exploits.

Gathering Kernel Information

bash
1606070;"># Kernel version (most important)
2uname -r
3606070;"># Example: 4.15.0-142-generic
4 
5uname -a
6606070;"># Full system info including architecture
7606070;"># Linux victim 4.15.0-142-generic #146-Ubuntu SMP x86_64 GNU/Linux
8 
9606070;"># Distribution info
10cat /etc/os-release
11cat /etc/issue
12cat /etc/*-release
13 
14606070;"># Architecture
15uname -m
16606070;"># x86_64 or i686 (32-bit)
17arch
18 
19606070;"># Kernel configuration (if available)
20cat /boot/config-$(uname -r) 2>/dev/null | grep -i security
21cat /proc/version
22 
23606070;"># Loaded kernel modules
24lsmod
25cat /proc/modules
26 
27606070;"># What you need to note:
28606070;"># 1. Exact kernel version (e.g., 4.15.0-142-generic)
29606070;"># 2. Architecture (x86_64 vs i686)
30606070;"># 3. Distribution (Ubuntu, CentOS, etc.)
31606070;"># 4. Distribution version (18.04, 20.04, etc.)

Version Precision

Kernel exploits are version-specific. 4.15.0-142 might be vulnerable, but 4.15.0-143 might not. Record the EXACT version string.

Searching for Exploits

Searchsploit

bash
1606070;"># On your Kali/attack machine:
2searchsploit linux kernel 4.15
3searchsploit linux kernel ubuntu 18.04
4searchsploit linux kernel privilege escalation
5 
6606070;"># Copy exploit to current directory
7searchsploit -m linux/local/45010.c
8 
9606070;"># View exploit details
10searchsploit -x linux/local/45010.c
11 
12606070;"># Example results:
13606070;"># Linux Kernel 4.15.x < 4.19.2 - Map-Write-Execute | linux/local/47165.c
14606070;"># Linux Kernel < 4.13.9 - DirtyCOW | linux/local/40847.cpp
15 
16606070;"># Filter for specific architecture
17searchsploit linux kernel 4.15 x86_64

Linux Exploit Suggester

bash
1606070;"># Linux Exploit Suggester 2 (Perl)
2wget https:606070;">//raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
3perl linux-exploit-suggester-2.pl
4 
5606070;"># Linux Exploit Suggester (Shell)
6wget https:606070;">//raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
7chmod +x linux-exploit-suggester.sh
8./linux-exploit-suggester.sh
9 
10606070;"># Example output:
11606070;"># [+] [CVE-2021-4034] PwnKit
12606070;">#     Exposure: probable
13606070;">#     CVE: CVE-2021-4034
14606070;">#     Tags: ubuntu=10.04{...},ubuntu=22.04
15606070;">#     Download URL: https://...
16 
17606070;"># Focus on:
18606070;"># - "probable" or "highly probable" exposure
19606070;"># - Matching distribution tags
20606070;"># - Recent CVEs (more likely to be unpatched)

Online Resources

1Kernel Exploit Resources:
2├── ExploitDB (exploit-db.com)
3│   └── Search: 606070;">#a5d6ff;">"linux kernel [version] local privilege escalation"
4├── GitHub
5│   └── Search: 606070;">#a5d6ff;">"CVE-[year]-[number] linux"
6├── Google
7│   └── 606070;">#a5d6ff;">"linux kernel 4.15.0 privilege escalation exploit"
8└── CVE Details (cvedetails.com)
9    └── Search kernel CVEs by version
10 
11Popular Kernel Exploit Collections:
12├── https:606070;">//github.com/lucyoa/kernel-exploits
13├── https:606070;">//github.com/SecWiki/linux-kernel-exploits
14└── https:606070;">//github.com/bcoles/kernel-exploits

Famous Kernel CVEs

1High-Profile Kernel Exploits:
2├── DirtyCow (CVE-2016-5195)
3│   └── Linux < 4.8.3, race condition in COW
4├── DirtyPipe (CVE-2022-0847)
5│   └── Linux 5.8 - 5.16.11, pipe buffer overwrite
6├── PwnKit (CVE-2021-4034)
7│   └── Actually pkexec, not kernel, but similar impact
8│   └── Almost all Linux since 2009
9├── Netfilter (CVE-2022-25636)
10│   └── Linux 5.4 - 5.6.10, heap overflow in netfilter
11├── eBPF (CVE-2021-3490)
12│   └── Linux 5.7 - 5.11, eBPF verifier bypass
13├── DCCP (CVE-2017-6074)
14│   └── Linux < 4.9.11, use-after-free in DCCP
15├── AF_PACKET (CVE-2017-7308)
16│   └── Linux 4.8.0 - 4.10.6, packet socket race
17└── Overlayfs (various CVEs)
18    └── Multiple exploits in overlay filesystem

Evaluating Exploits

bash
1606070;"># Before running an exploit, evaluate:
2 
3606070;"># 1. Does the version match?
4606070;"># Exploit says: Linux < 4.8.3
5606070;"># Your target: Linux 4.15.0
6606070;"># → Might NOT work (4.15 > 4.8.3)
7 
8606070;"># 2. Check the CVE details
9606070;"># Read about the vulnerability
10606070;"># What conditions are needed?
11 
12606070;"># 3. Check compile requirements
13head -50 exploit.c
14606070;"># Look for: gcc commands, required libraries
15 
16606070;"># 4. Is it 32-bit or 64-bit?
17file exploit
18606070;"># Compiled exploits must match target arch
19 
20606070;"># 5. Read exploit comments
21cat exploit.c | head -100
22606070;"># Authors usually explain requirements
23 
24606070;"># 6. Test on similar system first
25606070;"># If possible, test in lab before production
26 
27606070;"># Red flags:
28606070;"># - Exploit requires specific config
29606070;"># - "May cause system crash" warnings
30606070;"># - Very old exploit (likely patched)
31606070;"># - Requires kernel modules not present

Quick Vulnerability Checks

bash
1606070;"># DirtyCow (CVE-2016-5195)
2606070;"># Vulnerable: Linux 2.x through 4.8.2
3uname -r | grep -E 606070;">#a5d6ff;">"^[2-4]\.([0-7]\.|8\.[0-2])"
4 
5606070;"># DirtyPipe (CVE-2022-0847)
6606070;"># Vulnerable: 5.8 <= kernel < 5.16.11 (and some 5.15.x)
7uname -r | grep -E 606070;">#a5d6ff;">"^5\.(8|9|10|11|12|13|14|15|16)"
8 
9606070;"># Check for security patches in version string
10uname -r
11606070;"># Look for: -security, -lts suffixes
12 
13606070;"># Check pkexec for PwnKit
14pkexec --version
15606070;"># Most pre-2022 versions are vulnerable
16 
17606070;"># Check glibc for various exploits
18ldd --version
19 
20606070;"># Check specific protections
21cat /proc/sys/kernel/randomize_va_space  606070;"># ASLR
22cat /proc/sys/kernel/kptr_restrict       606070;"># Kernel pointer hiding
23dmesg 2>/dev/null | grep 606070;">#a5d6ff;">"SMEP\|SMAP"   # CPU protections

Kernel Enumeration Methodology

Kernel Exploit Research Flow

1
Get Versionuname -r for exact kernel version
2
Distributioncat /etc/os-release for distro
3
Architectureuname -m for 32/64 bit
4
SuggesterRun linux-exploit-suggester
5
Searchsearchsploit for version matches
6
EvaluateRead exploit requirements carefully

Knowledge Check

Quick Quiz
Question 1 of 3

What's the most important piece of information for kernel exploitation?

Challenges

Find the Exploit

Challenge
🔥 intermediate

Given a Linux system with kernel 4.4.0-21-generic (Ubuntu 16.04), find at least two potential kernel exploits and evaluate which is most likely to work.

Need a hint? (4 available)

Key Takeaways

  • Record exact kernel version with uname -r
  • Note architecture (x86_64 vs i686) for exploit compatibility
  • Use linux-exploit-suggester for automated vulnerability detection
  • searchsploit is essential for finding exploit code
  • Always evaluate exploits before running (version match, requirements)
  • Kernel exploits should be last resort due to crash risk