Monday, June 11, 2018

SickOS 1.2


- Layout for this exercise:


- The goal of this exercise is the study of the hacking process for the vulnerable machine SickOS 1.2:

- SickOS 1.2 can be downloaded from here:,144/

- Once downloaded and extracted with WMware:


- Using netdiscover let's notice that the only IP address in the local network working with WMware is, so it should correspond to the vulnerable machine SickOS 1.2:

- Scanning with Nmap:

- Connecting to the web service:

- Viewing the source there is nothing interesting:

- Scanning the web content with dirb:

- Going to the /test folder:

- curl shows that the PUT method is allowed, meaning that we can create a resource at the web folder /test:


- Using the -X option and the method PUT let's try to create a simple text file and upload it to the the web folder /test:

- Once we see that the upload is successful let's try some more tricky uploads, for instance creating a cmd.php file useful to execute php scripts:

- Listing with ls -la:

- Opening /etc/passwd with cat:

- Using which let's discover whether netcat is available at the victim machine:

3.1 - Exploiting with curl and netcat

- Taking advantage of this Python reverse shell, and encoding it with the percent-encoding:

- Setting a listening session on port 443:

- Running the reverse shell with curl:

- A limited shell is achieved:

3.2 - Exploiting with Command Injection 

- Another alternative would be injecting directly the Pyhon script via the browser. 

- First, setting a listening session on port 443:

- Passing the Python script directly via the browser:

- The limited shell is again achieved:

3.3 - Exploiting with Metasploit

- Setting a Metasploit handler session on port 443:

- Executing the reverse shell script via curl:

- A limited shell is achieved:

- Now, before starting the Privilege Escalation process let's background this Metasploit session for later use:


- Following these directions for Privilege Escalation at a Linux machine:

- Searching for cron.daily:

- cron.daily uses an outdated version of chkrootkit:

- Looking for related vulnerabilities:

- Searching with Metasploit we find an exploit: 

- Setting options for the exploit:

- One of the require options is a session, what corresponds to the session 1 backgrounded at point 3.2 of this exercise:

- Running the exploit, the Privilege Escalation is successful because a root shell is achieved:


- Going to the /root folder: