How I pwned your server

I didn't use Metasploit or any vulnerability scanner.

Perhaps you are anticipating that it took a lot of effort or expertise, but it didn't, because after CNIT127 p13x I had access to a shell on your server.

With a shell, I could look at the software you used on your system, and I found that you were using Ubuntu 14.04 LTS (I think by running lsb_release -a), and also the kernel version from uname -a:

Linux 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

This kernel was released in April 2014, which is very old, and lots of vulnerabilities have been found since and fixed in newer versions. Whoops? Did you intentionally not update it?

It took very little searching (perhaps 3 minutes?) before I found the following exploit on exploit-db:
After reading the comments in the exploit, I knew the versions you were running were vulnerable, so I thought it would work.

I compiled the file on my local machine, converted to base64, copied & pasted it into my shell into a text editor, saved in /tmp/{somefilename} decoded from base64 back to binary, ran chmod +x, and executed.

It didn't work, I got the following error (or one very similar to it):

gcc: error trying to exec 'cc1': execvp: No such file or directory

I had to investigate for a couple of minutes, and I found that this was a PATH issue, so I found where cc1 was on your server, and passed a modified PATH variable with path to cc1 to the program, and then it worked! I had a root shell.

Closing thoughts:

1) This was made much easier by the fact that I had a shell on your server thanks to CNIT127 p13x.
2) If you don't keep your server packages up-to-date, it's trivial to use a publicly available privilege escalation exploit to become root.

Posted 11-5-15 by Sam Bowne, from an email sent to me by axi0mX