Room Banner

OverlayFS - CVE-2021-3493

Exploit a 2021 Kernel vulnerability in Ubuntu to become root almost instantly!

info

30 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1What is OverlayFS?

OverlayFS is a Linux kernel module that allows the system to combine several mount points into one, so that you can access all the files from each within one directory structure.

It's often used by live USBs, or some other specialist applications. One use is having a read only root file system, and another partition "overlayed" with that to allow applications to write to a temporary file system.

More resources are included in the final task (Further reading) if you'd like to learn more about OverlayFS and this exploit.

Room Banner by Maksym Kaharlytskyi on Unsplash

Answer the questions below
I have a very rough overview of what OverlayFS is

About the vuln

Recently, SSD-Disclosure released a proof of concept (and a great explanation) for an Ubuntu kernel exploit (https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/).

This vulnerability is particularly serious, as overlayfs is a kernel module that is installed by default on Ubuntu 1804 Server.
If the system is vulnerable, you can very easily escalate from any user to root, as long as you can run a binary.
If there isn't a C compiler installed on the machine, you can compile the binary statically elsewhere and copy just the binary over.

Credentials for SSH

Username: overlay

Password: tryhackme123

If you're using the web-based machine, open it in full screen (by clicking the icon) to copy/paste the exploit code.

Answer the questions below
Deploy the machine with the Start Machine button in this task and wait up to 2 minutes for the VM to boot.

SSH into the machine with the credentials provided in the task text.

Grab the source code for the exploit from SSD-Disclosure here and save it as exploit.c on the target machine.

Compile the exploit with gcc. If you're finding this difficult, a command is given in the hints.

Run your compiled exploit, and get root!
What's the flag in /root/?

Want to know more about OverlayFS?

https://yagrebu.net/unix/rpi-overlay.md - Read only root file system with overlayfs to allow applications to run normally.

https://wiki.archlinux.org/index.php/Overlay_filesystem - The Arch Wiki's page on OverlayFS (I don't use Arch BTW)

Want to know more about this specific CVE?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3493 - Mitre's CVE entry for this vulnerability, which includes many further links.

https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/ - This is where we got the PoC code, and it explains the vulnerability very well.

Answer the questions below
Hope you've enjoyed this short room.

Created by

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

10,750

Created

1571 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more