> For the complete documentation index, see [llms.txt](https://thmflags.gitbook.io/thm-walkthroughs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thmflags.gitbook.io/thm-walkthroughs/difficulty-info/cve-walkthroughs/dirty-pipe-cve-2022-0847.md). # Dirty Pipe: CVE-2022-0847 {% embed url="" %} {% endembed %} | Room Attributes | Value | | --------------------- | ---------------------------------------------------------------------- | | Subscription Required | False \[Free] | | Type | Walkthrough | | Difficulty | Info | | Tags | Dirty Pipe, CVE-2022-0847, Linux, Kernel | ## Task 1 - Info Introduction and Deploy ### Deploy the machine by clicking on the green "Deploy" button at the top of this task! {% hint style="success" %} No answer needed {% endhint %} ## Task 2 - Tutorial Vulnerability Background ### Read the information in the task and understand how Dirty Pipe works. {% hint style="success" %} No answer needed {% endhint %} ## Task 3 - Practical A Weaponised PoC ### Follow along with the steps described in the task if you haven't already done so. {% hint style="success" %} No answer needed {% endhint %} ### Switch user (`su`) into your newly created root account. What is the flag found in the `/root/flag.txt` file?

Reveal Flag 🚩

:triangular\_flag\_on\_post:`THM{MmU4Zjg0NDdjNjFiZWM5ZjUyZGEyMzlm}`

### As mentioned previously, we have accidentally overwritten other user accounts by exploiting Dirty Pipe in this manner. This could cause issues for the server; thus, as professionals, we must clean up after our exploits. Using your root shell, restore the original `/etc/passwd` file from your backup. {% hint style="success" %} No answer needed {% endhint %} ## Task 4 - Practical Bonus Task A Second Exploit ### Exploit the target using bl4sty's exploit for Dirty Pipe {% hint style="success" %} No answer needed {% endhint %} ### Make sure to clean up after yourself! Remove the SUID binary created by the script (`/tmp/sh`). {% hint style="success" %} No answer needed {% endhint %} ### **\[****Optional****]** Find another exploit for this vulnerability online. Review the code to ensure that it does what it claims to do, then upload it to the target and attempt to exploit the vulnerability a third way. {% hint style="success" %} No answer needed {% endhint %} ## Task 5 - Info Conclusion ### I understand the Dirty Pipe vulnerability! {% hint style="success" %} No answer needed {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thmflags.gitbook.io/thm-walkthroughs/difficulty-info/cve-walkthroughs/dirty-pipe-cve-2022-0847.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.