Difficulty: Easy
This blog post was intended for Indonesian audiences. I’m only including the exercise portion and references that I used to create the blog post for the English version.
Files I used for examples can downloaded here
References
- https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/
- https://theori.io/blog/reviving-the-modprobe-path-technique-overcoming-search-binary-handler-patch
- KernelCTF
- Coworkers
Exercise
Both tricks run a custom saved program as root. However, what if our current user is in a namespace, how can the user escape from the namespace (example: from inside docker)?
There are techniques you can find at kernelctf, feel free to explore the techniques yourself.