OverlayFS - CVE-2021-3493
Exploit a 2021 Kernel vulnerability in Ubuntu to become root almost instantly!
info
30 min
14,087
To access material, start machines and answer questions login.
OverlayFS is a kernel module that allows the system to combine several mount points into one, so that you can access all the files from each within one directory structure.
It's often used by live USBs, or some other specialist applications. One use is having a read only root , and another partition "overlayed" with that to allow applications to write to a temporary .
More resources are included in the final task (Further reading) if you'd like to learn more about OverlayFS and this exploit.
Room Banner by Maksym Kaharlytskyi (opens in new tab) on Unsplash (opens in new tab)
About the vuln
Recently, SSD-Disclosure released a proof of concept (and a great explanation) for an Ubuntu kernel exploit (https://ssd-disclosure.com/ssd-advisory-overlayfs-/ (opens in new tab)).
This vulnerability is particularly serious, as overlayfs is a kernel module that is installed by default on Ubuntu 1804 Server.
If the system is vulnerable, you can very easily escalate from any user to root, as long as you can run a binary.
If there isn't a C compiler installed on the machine, you can compile the binary statically elsewhere and copy just the binary over.
Credentials for
Username: overlay
Password: tryhackme123
If you're using the web-based machine, open it in full screen (by clicking the icon) to copy/paste the exploit code.
SSH into the machine with the credentials provided in the task text.
Grab the source code for the exploit from SSD-Disclosure here (opens in new tab) and save it as exploit.c on the target machine.
Compile the exploit with gcc. If you're finding this difficult, a command is given in the hints.
Run your compiled exploit, and get root!
What's the flag in /root/?
Want to know more about OverlayFS?
https://yagrebu.net/unix/rpi-overlay.md (opens in new tab) - Read only root with overlayfs to allow applications to run normally.
https://wiki.archlinux.org/index./Overlay_filesystem (opens in new tab) - The Arch Wiki's page on OverlayFS (I don't use Arch BTW)
Want to know more about this specific ?
https://..org/cgi-bin/cvename.cgi?name=-2021-3493 (opens in new tab) - 's entry for this vulnerability, which includes many further links.
https://ssd-disclosure.com/ssd-advisory-overlayfs-/ (opens in new tab) (opens in new tab) - This is where we got the code, and it explains the vulnerability very well.
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in