SickOs 1.2 (Vulnhub) – Complete Walkthrough and Guide

In this blog, I’ll be solving Sick OS 1.2 machine posted by D4rk.
The objective was to break into and read the flag kept under /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
Attacker’s IP is 192.168.56.101
So lets start !!!

1. Started with netdiscover to locate the victim IP address. Victim was at 192.168.56.102

2. Scanned for open ports using nmap and found port 22 and 80 open. A lighttpd web server is running on port 80.
Tried searching for the vulnerabilities using revealed service banners. Found nothing significant.

 

3. Tried opening the url http://192.168.56.102 and found a web page with Keanu’s image. Further ran dirb to check for hidden directories and found /test/ in the dirb results.

4. Quickly checked for the folder permissions on /test/ directory and got our first trail. PUT method is enabled.

5. Took a php reverse shell script from here. Made some changes for IP and PORT. IP was made to 192.168.56.101 (attacker’s IP) and port was edited to 1337. Now lets use curl to upload the shell and it was a success.

6. Lets locate the shell on the webpage and start a listening connection on port 1337 using netcat on the attacker’s machine. On executing the php script on the browser, no connection got received. I tried uploading a test shell <?php echo shell_exec($_GET[‘cmd’]); ?> to check if php scripts are getting executed at all.


10. Again edited the php script and changed connecting port to 9999. Still no reverse shell was received. After sometime, got successful with port 443. This shows that the iptables/firewall allows outbound traffic on only selected ports. Hmm interesting.

 

11. ‘uname -a’ revealed kernel as Linux ubuntu 3.11.0-15-generic but didn’t find any privilege escalation exploit for the same. Then tried doing a sudo -i which would let me run the shell as root user privileges. This gave me a message saying ‘stdin: is not a tty’. Okay .. further I ran /bin/sh -i and Voot !!!!
I suddenly became the root.

12. Its time to read the flag.

 

That’s all folks. Cya.

References

  1. https://github.com/6odhi/myarsenal/blob/master/README.md
  2. http://pentestmonkey.net/tools/web-shells/php-reverse-shell
  3. https://www.vulnhub.com/author/d4rk,199/
Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by