SickOS 1.2

SICKOS 1.2

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine SickOS 1.2:




- SickOS 1.2 can be downloaded from here:

https://www.vulnhub.com/entry/sickos-12,144/


- Once downloaded and extracted with WMware:

2 - ENUMERATION

- Using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.16, so it should correspond to the vulnerable machine SickOS 1.2:






- Scanning with Nmap:




- Connecting to the web service:




- Viewing the source there is nothing interesting:





- Scanning the web content with dirb:





- Going to the /test folder:





- curl shows that the PUT method is allowed, meaning that we can create a resource at the web folder /test:






3 - EXPLOITATION

- Using the -X option and the method PUT let's try to create a simple text file and upload it to the the web folder /test:











- Once we see that the upload is successful let's try some more tricky uploads, for instance creating a cmd.php file useful to execute php scripts:




- Listing with ls -la:





- Opening /etc/passwd with cat:




- Using which let's discover whether netcat is available at the victim machine:





3.1 - Exploiting with curl and netcat

- Taking advantage of this Python reverse shell, and encoding it with the percent-encoding:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://en.wikipedia.org/wiki/Percent-encoding




- Setting a listening session on port 443:




- Running the reverse shell with curl:




- A limited shell is achieved:





3.2 - Exploiting with Command Injection 

- Another alternative would be injecting directly the Pyhon script via the browser. 

- First, setting a listening session on port 443:




- Passing the Python script directly via the browser:




- The limited shell is again achieved:





3.3 - Exploiting with Metasploit

- Setting a Metasploit handler session on port 443:






- Executing the reverse shell script via curl:




- A limited shell is achieved:




- Now, before starting the Privilege Escalation process let's background this Metasploit session for later use:





4 - PRIVILEGE ESCALATION

- Following these directions for Privilege Escalation at a Linux machine:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/


- Searching for cron.daily:






- cron.daily uses an outdated version of chkrootkit:







- Looking for related vulnerabilities:









- Searching with Metasploit we find an exploit: 






- Setting options for the exploit:




- One of the require options is a session, what corresponds to the session 1 backgrounded at point 3.2 of this exercise:




- Running the exploit, the Privilege Escalation is successful because a root shell is achieved:






5 - CAPTURING THE FLAG

- Going to the /root folder: