Blog

We specialize in Products, Application and Infrastructure security assessments and deep technical security training.

...
...

Vulnhub SickOs 1.2 – Walkthrough

by Harish Tiwari
04/09/2017

Vulnhub SickOs 1.2 – Walkthrough

In this blog, I’ll be solving Sick OS 1.2 machine posted by D4rk.
The objective was to break into and read the flag kept under /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
Attacker’s IP is 192.168.56.101
So lets start !!!

1. Started with netdiscover to locate the victim IP address. Victim was at 192.168.56.102

2. Scanned for open ports using nmap and found port 22 and 80 open. A lighttpd web server is running on port 80.
Tried searching for the vulnerabilities using revealed service banners. Found nothing significant.

 

3. Tried opening the url http://192.168.56.102 and found a web page with Keanu’s image. Further ran dirb to check for hidden directories and found /test/ in the dirb results.

4. Quickly checked for the folder permissions on /test/ directory and got our first trail. PUT method is enabled.

5. Took a php reverse shell script from here. Made some changes for IP and PORT. IP was made to 192.168.56.101 (attacker’s IP) and port was edited to 1337. Now lets use curl to upload the shell and it was a success.

6. Lets locate the shell on the webpage and start a listening connection on port 1337 using netcat on the attacker’s machine. On executing the php script on the browser, no connection got received. I tried uploading a test shell <?php echo shell_exec($_GET[‘cmd’]); ?> to check if php scripts are getting executed at all.


10. Again edited the php script and changed connecting port to 9999. Still no reverse shell was received. After sometime, got successful with port 443. This shows that the iptables/firewall allows outbound traffic on only selected ports. Hmm interesting.

 

11. ‘uname -a’ revealed kernel as Linux ubuntu 3.11.0-15-generic but didn’t find any privilege escalation exploit for the same. Then tried doing a sudo -i which would let me run the shell as root user privileges. This gave me a message saying ‘stdin: is not a tty’. Okay .. further I ran /bin/sh -i and Voot !!!!
I suddenly became the root.

12. Its time to read the flag.

 

That’s all folks.

Latest Blogs See all blog

Token Stealing with Windows Update KB4054518

5-July-2019
Blogger
Siddhant Badhe

Introduction of Tcache bins in Heap management

13/03/2019
Blogger
Gaurav Nayak

6 Must have tools for your iOS pentesting toolkit

22/02/2019
Blogger
Akansha Kesharwani

Latest news See all news

23-Oct-2013
Luxembourg

We will be delivering a workshop on ARM Android Xploitation Primer at Hack.lu

22-May-2014
Moscow, Russia

We will be delivering a workshop on ARM Exploitation at PHDays

22-Sep-2014
Ghent, Belgium

We will be delivering 3 days training on ARM Android Exploitation at Brucon