💛
vulnhub
  • Vulnhub
  • Easy
    • CTF List
      • DC:6
      • Sar: 1
      • Colddbox - Easy
      • Funbox 2: Rookie
      • Lampiao
      • Potato 1
      • DevContainer: 1
      • Sky Tower 1
  • Medium
    • CTF List
  • Hard
    • CTF List
Powered by GitBook
On this page
  • 1. Enumeration
  • 2. Exploitation (using SSH)
  • 2. Exploitation (Using Metasploit)
  • 3. Privilege Escalation

Was this helpful?

  1. Easy
  2. CTF List

Lampiao

An Easy, boot2root challenge

Last updated 4 years ago

Was this helpful?

I have got the root access using three steps:

  1. Enumeration: robots.txt reveals so much info

  2. Exploitation: 2 ways to access one is SSH and another is Drupal vulnerability.

  3. Privilege Escalation: dirtycow kernel exploit is there.

Now I'm going to describe my way to solve this.

1. Enumeration

(1) target IP is 10.0.2.28. I have started nmap scan first.

nmap -sV -v 10.0.2.28

(2) After visiting port 80, I have not found anything interesting. But port 1898 reveals a webpage.

(3) When enumerating a web, it's better to search for robots.txt at first. I have tried and this web reveals the robots.txt here.

(5) SQL injection attempt failed as well as new password request. Because the mail server is not working in the background.

(6) Found 2 username in the first page: tiago and Eder.

2. Exploitation (using SSH)

(7) From nmap scan, I have found that ssh is running. So let's try to brute force it. The problem is - wordlists available in the OS and in GitHub, takes a lot of time. Making one wordlist from the website could save some time. Let's try:

cewl http://10.0.2.28:1898/?q=node/1 -w pass.txt

(8) I have saved those username in username.txt and the wordlist in pass.txt. Now I am using hydra to brute force and gain ssh password.

hydra -L usernames.txt -P pass.txt -e nsr -f -t 4 ssh://10.0.2.28

And the brute force is successful. I have got username: tiago and password: Virgulino

(9) I can log in using this name and password

2. Exploitation (Using Metasploit)

(10) Metasploit search shows there are so many exploit already

(11) I am going to use drupalgeddon2 because it has excellent ranking.

use 4
set rhosts 10.0.2.28
set rport 1898

(12) After exploiting using run command I have got a shell. But it has only user privilege. I have started to search for those directories if I can get anything valuable. But there is nothing. There is a folder name tiago, but it also has nothing.

3. Privilege Escalation

(13) I have tried to upload Linux exploit suggester. But it has no permission.

(14) What if I try to upload in temporary (/tmp) directory? And that works. After downloading using wget, I have changed the permission and then run it.

(15) After running it, it says that the OS is vulnerable to dirtycow, a well known kernel exploit.

(16) I have downloaded that 40847. After that I have changed it to C++ file and permission.

mv 40847 40847.cpp
chmod +x 40847.cpp

(17) I was getting error while trying to access using root password. (Can't recognize why). So I have SSH again using the root password. And I become root!

Note: Privilege escalation is same for both - SSH exploitation and metasploit exploitation technique. That's why I have described once.

(4) I have started to visit all the directory listed in that robots.txt file. But found nothing interesting. Suddenly in minimal.info file, I have found that, the site is running Drupal 7.54. In exploit-db, there is also exploit code for this. ()

Then I have compiled it. Remember, to compile this code follow the instruction described in the main exploit. (). Now I can run the exploit.

Exploit-db link
Exploit-db link