Kernel Exploit- Walkthrough

In this blog, we delve into the investigation of a Linux kernel exploit that led to a security breach on a critical transaction processing server. The attack highlights the importance of robust monitoring systems and quick forensic analysis to contain threats. Using artifacts collected by the Unix-like Artifacts Collector (UAC), we meticulously uncover the attacker’s steps, from privilege escalation to data exfiltration.

Let’s dive into the findings.

What is the name of the key file the intruder downloaded to elevate their privileges after gaining unauthorized access?

Let’s start by examining the artifacts provided. The challenge includes data collected by the Unix-like Artifacts Collector (UAC), which gathers various files from the disk image and executes commands to capture live forensic artifacts.

Revisiting the scenario, the traffic anomaly and the challenge name suggest that the attacker exploited a kernel vulnerability to gain root access and exfiltrate data. Based on this, the investigation began by analyzing the processes recorded when UAC was executed, found under live_response -> process.

Pick any of ps like command output then I found ./exploit (ProcessID 31671) was executed by a1l4m user so this should be the one we are after!

exploit

When was the file used for privilege escalation first submitted on Virus Total?

Let’s identify where the binary was executed. The analysis shows it was launched from the /tmp directory, which is highly suspicious.

With this information, navigate to /[root]/tmp to locate the file. Once found, calculate its hash for further investigation.

Search the calculated hash on VirusTotal. Navigate to the “History” section under the “Details” tab to find the first submission timestamp of the binary.

2024-03-26 16:45:52 UTC

What is the Process ID (PID) of the operation launched by the attacker?

31671

What username was the malicious process running under?

a1l4m

What is the Parent Process ID (PPID) associated with the malicious process?

1686

What are the operating system and its version on the compromised server? Answer Format:version-os

To determine this, navigate to the /live_response/system directory, which stores the results of various system and configuration commands. By reviewing the output of the uname command in this directory, you can find the OS and kernel version of the compromised system.

22.04.1-Ubuntu

What is the kernel version of the compromised system?

6.5.0-27-generic

What is the most recent CVE number associated with the vulnerabilities exploited in this attack?

Returning to VirusTotal, two potential CVEs were identified. The most recent, CVE-2024–1086, discovered this year, impacts Linux kernels from versions 3.15 to 6.1.76, 6.2 to 6.6.15, and 6.7 to 6.7.3. This confirms that the compromised system was vulnerable to this exploit.

CVE-2024-1086

Summary

This investigation revealed a Linux kernel exploit leveraged by an attacker to gain root privileges and exfiltrate data. UAC-collected artifacts helped identify a suspicious process, its location, and the exploit used. Key findings:

• PID: 31671
• Username: a1l4m
• Vulnerability: CVE-2024-1086
• OS: 22.04.1-Ubuntu
• Kernel: 6.5.0-27-generic