mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
f
This commit is contained in:
parent
4de04c5e35
commit
c5aeedd559
@ -84,6 +84,16 @@ echo "Done! Output:"
|
||||
cat ${OUTPUT_PATH}
|
||||
```
|
||||
|
||||
## Kernel hardening since 2022 (CVE-2022-0492)
|
||||
|
||||
From Linux 5.10.93/5.15.17/5.16.2 onward the kernel **requires `CAP_SYS_ADMIN` in the _initial_ user-namespace to write `release_agent`**. A *privileged* container still has that capability, so this relative-path variant remains exploitable. *Unprivileged* containers on patched kernels, however, will not bypass the new check.
|
||||
|
||||
## Limitations on modern hosts (2025)
|
||||
|
||||
* **cgroup-v2** (the default in Fedora 40, Ubuntu 24.10 and most systemd-256+ distros) **removed the whole `release_agent` interface** – the technique simply does not exist there.
|
||||
* On hybrid systems (`cgroup_no_v1="memory"` etc.) the memory controller may reside in v1 while others are in v2; if the memory hierarchy is v2 **the exploit must mount some other v1 controller** (e.g. `rdma`) to work.
|
||||
* Mandatory Access Control profiles (AppArmor/SELinux) that disallow `mount` or make `/sys/fs/cgroup/**/release_agent` read-only will block the attack even in privileged containers.
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
@ -290,7 +290,7 @@ The PoC can be found in **[https://github.com/eladshamir/Internal-Monologue](htt
|
||||
**Read more detailed guide on how to perform those attacks here:**
|
||||
|
||||
{{#ref}}
|
||||
../../generic-methodologies-and-resources/pentesting-network/`spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md`
|
||||
../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
|
||||
{{#endref}}
|
||||
|
||||
## Parse NTLM challenges from a network capture
|
||||
|
Loading…
x
Reference in New Issue
Block a user