SickOS 1.1 Walkthrough
Hi,
I was out due to my hectic schedule. I just got a break from my hectic routine so thought to try one more Vulnerable Machine by VulnHub. This time i tried to exploit SickOS 1.1 which can be downloaded from;
We all know that for VulnHub machines you have to find the IP address of the target machine by your own and for that we have enrich command known be netdiscover. So quickly hit;
netdiscover -i eth0
As eth0 is my interface at the moment. After we have the IP address, always the next step is to find what services along with the version are running on the Target Machine. NMAP allows us to check for the vulnerabilities if there are any associated with the services versions currently being used and for that NMAP scripting engine (NSE) plays its part.
nmap -Pn -T4 -A <target IP>
From the results we can conclude that 2 ports are up and running.
Port 22 — SSH — OpenSSH 5.9p1
Port 3128 — Proxy — Squid http proxy 3.1.19
Although we have the port 80 closed. Ohkay. So it’s clear that we can access the website via proxy port. Hmmm. Let’s check whether we open it in the browser or not.
Doesn’t seems to be working. Ohkayy for now. Let’s try NIKTO to check for the directories and for the vulnerabilities via proxy.
nikto -h 192.168.97.129 — useproxy http://192.168.97.129:3128
Now it’s clear that shellshock vulnerability exists. Let’s try opening the directory which is vulnerable to shellshock vulnerability. No we can’t open it directly. Now we will try to use manual proxy to to access the host.
Once we are done with this. We can access the directories as well as the host.
Nothing is here. On checking the /cgi-bin/status we got the kernel version and OS details.
Ohkay!! now let’s check what’s in the robots.txt file.
Now let’s try opening the /wolfcms and what i got is this;
I tried looking for any clues in the wolfcms and found one when i clicked the Articles RSS Feed.
See the URL. I always had curiosity to look for the admin panels. As i knew there is always an admin panel when it comes to CMS. So i simply added admin in the URL and found this;
Hmmm. Well now what?
Let’s try the default credentials of every admin panel;
admin : admin
OOPS we are in. Now what?
Let’s find the place to upload shell. So that we can make the reverse connection back to our system to gain root access. We can see the FILES tab in the screenshot. That’s the place we can upload our shell.
Now firstly we need PHP reverse shell to upload. Pentest Monkey is always there for help.
I moved into /public and uploaded the PHP shell.
Now it’s time to access the PHP Reverse Shell. Now the first thing is to edit the PHP file so that we can set our IP address and PORT and on the same hand we will be using netcat to listen on all the incoming connections on that port. That’s it.
Now it’s time for the netcat.
Beep! we got the reverse shell. Now there ain’t any need to look for the files here and there. Just because we already know that the shell we got is limited. Now what. The wolfcms is in /var/www/wolfcms. Let’s list the files and we got what we were looking for.
The config.php file. Simply look whats inside the file for the username and password.
Here we go. We have now got the MySQL username and password. Seems interesting. We also know that the SSH service was also running. Why don’t we give it a try. I tried to log into via ssh using root as the username but it wasn’t. Meanwhile i thought to try the name of the machine itself and you know what it worked using the password we found in the config.php file.
From here onward i tried to move into directories but i got permission denied. Means we do not have root privileges. I remember using the sudo su command before. It is used to change the login session ownership to other user. Simply set the user root and Bingo we have the root access now.
Now moving into the root directory.
Listing all the files and then looking what’s inside the txt file.
Bingo! we have successfully completed the SickOS 1.1.
I hope you enjoyed the walkthrough.
Best Regards,
Kamran Saifullah
