Lampiao

An Easy, boot2root challenge

I have got the root access using three steps:

  1. Enumeration: robots.txt reveals so much info

  2. Exploitation: 2 ways to access one is SSH and another is Drupal vulnerability.

  3. Privilege Escalation: dirtycow kernel exploit is there.

Now I'm going to describe my way to solve this.

1. Enumeration

(1) target IP is 10.0.2.28. I have started nmap scan first. 

nmap -sV -v 10.0.2.28

(2) After visiting port 80, I have not found anything interesting. But port 1898 reveals a webpage.

(3) When enumerating a web, it's better to search for robots.txt at first. I have tried and this web reveals the robots.txt here.

(4) I have started to visit all the directory listed in that robots.txt file. But found nothing interesting. Suddenly in minimal.info file, I have found that, the site is running Drupal 7.54. In exploit-db, there is also exploit code for this. (Exploit-db link)

(5) SQL injection attempt failed as well as new password request. Because the mail server is not working in the background.

(6) Found 2 username in the first page: tiago and Eder.

2. Exploitation (using SSH)

(7) From nmap scan, I have found that ssh is running. So let's try to brute force it. The problem is - wordlists available in the OS and in GitHub, takes a lot of time. Making one wordlist from the website could save some time. Let's try:

cewl http://10.0.2.28:1898/?q=node/1 -w pass.txt

(8) I have saved those username in username.txt and the wordlist in pass.txt. Now I am using hydra to brute force and gain ssh password.

hydra -L usernames.txt -P pass.txt -e nsr -f -t 4 ssh://10.0.2.28

And the brute force is successful. I have got username: tiago and password: Virgulino

(9) I can log in using this name and password

2. Exploitation (Using Metasploit)

(10) Metasploit search shows there are so many exploit already

(11) I am going to use drupalgeddon2 because it has excellent ranking.

use 4
set rhosts 10.0.2.28
set rport 1898

(12) After exploiting using run command I have got a shell. But it has only user privilege. I have started to search for those directories if I can get anything valuable. But there is nothing. There is a folder name tiago, but it also has nothing.

3. Privilege Escalation

(13) I have tried to upload Linux exploit suggester. But it has no permission.

(14) What if I try to upload in temporary (/tmp) directory? And that works. After downloading using wget, I have changed the permission and then run it.

(15) After running it, it says that the OS is vulnerable to dirtycow, a well known kernel exploit.

(16) I have downloaded that 40847. After that I have changed it to C++ file and permission.

mv 40847 40847.cpp
chmod +x 40847.cpp

Then I have compiled it. Remember, to compile this code follow the instruction described in the main exploit. (Exploit-db link). Now I can run the exploit.

(17) I was getting error while trying to access using root password. (Can't recognize why). So I have SSH again using the root password. And I become root!

Note: Privilege escalation is same for both - SSH exploitation and metasploit exploitation technique. That's why I have described once.

Last updated

Was this helpful?