Escalating privileges with local root exploits

The overlayfs privilege escalation vulnerability allow local users to gain root privileges by leveraging a configuration in which overlayfs is permitted in an arbitrary mounted namespace. The weakness lies because the implementation of overlayfs does not correctly check the permissions for file creation in the upper filesystem directory.

More on the vulnerability can be found here: https://www.cvedetails.com/cve/cve-2015-1328.

Let's drop into a shell and download the raw exploit onto the target from https://www.exploit-db.com/:

Let's rename the exploit from 37292 to 37292.c and compile it with gcc, which will generate an executable, as shown in the following screenshot:

We can see that we have successfully compiled the exploit, so let's run it:

Bingo! As we can see, by running the exploit, we have gained access to the root shell; this marks the total compromise of this system. Let's run some of the basic commands and confirm our identity as follows:

Remember, we have an exploit handler running in the background? Let's run the same reverse_connect.elf file:

Another Meterpreter session opened! Let's see how this Meterpreter is different from the other two:

We can see that we have the third Meterpreter from the target system. However, the UID, that is, the user ID, is 0, which denotes the root user. Hence, this Meterpreter is running with root privileges and can provide us unrestricted entry to the entire system. Let's interact with the session using the session -i command followed by the session identifier, which is 3 in this case:

We can confirm the root identity through the getuid command, as shown in the preceding screenshot. We now have the complete authority of the system, so what's next?