SickOS 2

A scan shows SSH and HTTP opens1

Going to the site shows a meme 2deep4me.

s2

A  Nikto scan reveals nothing and dirbuster reveals a directory called /test.

Going there shows just a blank index. A glance at my Workflowy list, reminds me to check the HTTP options.

curl -vX OPTIONS http://192.168.218.139/test

s3

Allow PUT?

Looking at my cheatsheet shows a command to upload a file via curl.

curl --upload-file shell.php --url http://192.168.218.139/test/shell.php --http1.0

Using the PHP shell from Pentestmonkey, I upload my shell & set up my listener

s4s5

But it actually gives back an error.

s6

I know all too well about firewalls blocking, so I tried port 443 (because 80 was already in use by Firefox), it has to allow 443 right?

Luckily, I was right.s7

Time for some privilege escalation.

As always, the first thing I do is check the kernel and OS version.

s8

However I couldn’t wget, as it wouldn’t connect, and I had to write scripts the hard way via cat >> exploit.c

I tried dirtyc0w, but it didn’t work and crashed the system. I then worked more off of my Workflowy list, which heavily includes g0tmilks guide to privilege escalation. I checked the version of chkrootkit, which showed version 0.49

s9

Searching for an exploit for that version proved successful!

It will execute anything named “update” in the /tmp file

So, I create a simple file.

cat >> update
echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers

This adds www-data to the sudoers

Now I wait

and wait

and wait

and to the point where a few hours has gone by and I realized it’s not working. As usual, Murphy’s law applies, so I resort to my last hope: Metasploit. I don’t like using it, but I’ll have to. When I did searchsploit for chkrootkit I saw a ruby module for the exploit, so Metasploit has a module. I create my meterpreter payload

s13

Set up the handler

s14

Fire and forget

s15

I then background that session and select the exploit

s16

And now I wait some more.

Eventually I pop a root shell and cat the flag.

cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

 

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: