It’s been a long time since i did a walk-through on any VulnHub machines. I was bored this weekend due to my vacations from university so i thought hacking a new machine this time.
The machine name is Lampião 1 created by Tiago Tavares. The VM can be downloaded from:
Lampião: 1 ~ VulnHub
Lampião: 1, made by Tiago Tavares. Download & walkthrough links are available.
So let’s jump in.
The first step is always finding the IP address of the machine and “netdiscover” does that for us.
Once we have the IP address. I straightly moved towards the nmap scan.
It can clearly be seen that port 22, 80 and 1898 is up and running. Means that there is a web application hosted? Obviously yes..
On checking the port 80 i found something ‘Ehhh!’
Well it says that it is easy but what does that text means?
If you are curious then you can fire up google translate. I leave that for you ;)
So let’s check the second port?
Okhay fine. So a Drupal 7 CMS is up and running. Fine and great.
I tried bypassing the login panel but it didn’t worked. But something that caught my eye were the 2 usernames/authors ;)) — enough for the bruteforce ;))
So we have “tiago, eder” two usernames. Now where are the passwords?
There were two blog posts. One was a great one just because it was not in english and i don’t really know what does that mean. Huh! shall i care? No!
But yes i should care. Generating your own password list/word list is a great game. I learned that few years ago when i was doing a Web Application Penetration test of my client. I simply generated the word-list from their web and w00t? i got r00t ;).
cewl is going to help us generate the word list…..
Also create a file with the usernames we have found :))
Now we know that SSH is up and running on port 22.
Now what? HYDRA the devil ;))
Fire it up using the usernames and the wordlist we generated.
We got the password but ‘Ehh!’ there are 2792 tries in total. Going to take time.
Let’s try logging into the machine using the username and the password we have found.
Yayy! we got root. Oh wait a second not at the moment. We have got the limited shell. It’s time to enumerate what’s going on and looking for the Privilege Escalation methods to get the root shell.
Looking for the files but didn’t found anything worthy. So let’s check the OS details.
So it’s an Ununtu 14.04.5 LTS machine. I have been using a script for suggesting the exploits for the linux machines in my penetration testing. It’s open source and can be found on GitHub.
linux-exploit-suggester - Linux privilege escalation auditing tool
linux-exploit-suggester-2 - Next-Generation Linux Kernel Exploit Suggester
Here i tried if i can directly git clone the repository but sadly we don’t have the permission to do that. But on enumerating i found that we have the wget command allowed. Well that’s all what we need.
So now it’s time to give the file the executable permissions.
Let’s run the script and wait.
We have found many exploits those are going to work on this machine. Time to choose one, the rest can be practiced later as well.
We have two Dirty Cow exploits on the exploit-db :))
Downloading the exploit on the target machine.
Compile the cpp code using the gcc or g++ compiler and running it :))
We got the password changed. Now changing the user session to root via su command and typing the new password. We got the root access and the flag too.
We know that this is an MD5 hash and remember the image we found on the port default web page (port 80) ?
Let’s perform the checksum :))
Something cool about the coded image ;) it looks like this.
I hope you enjoyed the walk-through.
Thank you very much for reading :))