SickOs 1.2 Walkthrough

Posted on

 

You can find SickOs here.

Quick run-down:

  1. Service enumeration
  2. Check for any vulnerabilities
  3. Escalate to Root
  4. Get our flag 🙂

Exploit used:

  1. Chkrootkit 0.49

After seeing what is on my net, I began to do an Nmap scan on my target to see what kind of services are running. I see port 80 open so I head to the webpage to see what it has in store for me.

I was greeted with a meme. As a side note, this is how my resting face looks like 🙁

sickos

Inspecting the page source didn’t really reveal anything too obvious to me, so I had downloaded the image to see if anything was maybe inside the image. No fruit.

As I was poking around, I decided to run a dirb scan on the page to see if anything fruitful would come out of it. A few seconds later, I had learned there is a “/test/” directory. Su-WEET! I also ran a Nikto scan to see if anything would come out of that. Nikto had brought nothing to me, but that is definitely a-okay.

Let’s take a look at what is in /test/

sickos2

Here is where it took me a little while. I was searching Exploit-DB for lighttpd and Google for lighttpd 1.4.28 exploits. There were some older vulnerabilities, but not any for the version I was looking at. Banged my head a few times to see if maybe I had missed something so simple? BUT I WAS FINDING NOTHING. 

I looked in the page source and that had nothing as well. How fun. I decided to see what happens if maybe I can do a GET request using Netcat. The beauty of using that was after entering the request, it would hang. Grrrrrr…

Next thing I did was fire up Burpsuite and see if at least THAT would capture something. Indeed it did, however it was nothing too crazy or out of the norm. Also, I wanted to try more requests and not just watch them. What else can do requests?? I turned to cURL and read the help.

Finally!! I grabbed something interesting using cURL. The awesome thing was I was able to specify what type of request I wanted to make.

I immediately noticed “PUT”. So I uploaded a test file to see if it would work. It didn’t upload at first, so I tried uploading it using “HTTP/1.0”.  That worked with great success 🙂

What next you may ask?? Well…let me tell you! I turned to my handy-dandy php-reverse-shell. Using the default port number wouldn’t work so I changed it to port 443. I set up my listener, went to my shell, and voila! I caught shell!

So after doing enumeration on the machine, we can see that there is a “chkrootkit” inside cron.daily. The interesting thing about this is that it’s version 0.49. According to Exploit-DB, if you place a file called “update” in /tmp, chkrootkit will run it with root privileges. Very nice.

Sooo…let’s escalate our privs!

First thing I did was create a little, stupid simple program that sets the setgid and setuid and then spawns a shell. After this, I take advantage of update to set root ownership of this simple, yet deadly binary that will allow me to run it >:D

If all goes well, I will now have a simple tool of mass destruction waiting for me in /tmp.

Now, after waiting a minute or so…it’s time to check!

Great success!!

All there is to do now is navigate to root folder and retrieve our flag!!

This was an awesome, frustrating, and amazing VM brought to you by D4rk! Thanks man!! That was a great one and I hope to see more coming!

One thought on “SickOs 1.2 Walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *