Lampiao
An Easy, boot2root challenge
I have got the root access using three steps:
Enumeration: robots.txt reveals so much info
Exploitation: 2 ways to access one is SSH and another is Drupal vulnerability.
Privilege Escalation: dirtycow kernel exploit is there.
Now I'm going to describe my way to solve this.
1. Enumeration
(1) target IP is 10.0.2.28. I have started nmap scan first.
nmap -sV -v 10.0.2.28
(2) After visiting port 80, I have not found anything interesting. But port 1898 reveals a webpage.
(3) When enumerating a web, it's better to search for robots.txt at first. I have tried and this web reveals the robots.txt here.
(4) I have started to visit all the directory listed in that robots.txt file. But found nothing interesting. Suddenly in minimal.info file, I have found that, the site is running Drupal 7.54. In exploit-db, there is also exploit code for this. (Exploit-db link)
(5) SQL injection attempt failed as well as new password request. Because the mail server is not working in the background.
(6) Found 2 username in the first page: tiago and Eder.
2. Exploitation (using SSH)
(7) From nmap scan, I have found that ssh is running. So let's try to brute force it. The problem is - wordlists available in the OS and in GitHub, takes a lot of time. Making one wordlist from the website could save some time. Let's try:
cewl http://10.0.2.28:1898/?q=node/1 -w pass.txt
(8) I have saved those username in username.txt and the wordlist in pass.txt. Now I am using hydra to brute force and gain ssh password.
hydra -L usernames.txt -P pass.txt -e nsr -f -t 4 ssh://10.0.2.28
And the brute force is successful. I have got username: tiago and password: Virgulino
(9) I can log in using this name and password
2. Exploitation (Using Metasploit)
(10) Metasploit search shows there are so many exploit already
(11) I am going to use drupalgeddon2 because it has excellent ranking.
use 4
set rhosts 10.0.2.28
set rport 1898
(12) After exploiting using run command I have got a shell. But it has only user privilege. I have started to search for those directories if I can get anything valuable. But there is nothing. There is a folder name tiago, but it also has nothing.
3. Privilege Escalation
(13) I have tried to upload Linux exploit suggester. But it has no permission.
(14) What if I try to upload in temporary (/tmp) directory? And that works. After downloading using wget, I have changed the permission and then run it.
(15) After running it, it says that the OS is vulnerable to dirtycow, a well known kernel exploit.
(16) I have downloaded that 40847. After that I have changed it to C++ file and permission.
mv 40847 40847.cpp
chmod +x 40847.cpp
Then I have compiled it. Remember, to compile this code follow the instruction described in the main exploit. (Exploit-db link). Now I can run the exploit.
(17) I was getting error while trying to access using root password. (Can't recognize why). So I have SSH again using the root password. And I become root!
Note: Privilege escalation is same for both - SSH exploitation and metasploit exploitation technique. That's why I have described once.
Last updated
Was this helpful?