A scan shows SSH and HTTP open
Going to the site shows a meme 2deep4me.
A Nikto scan reveals nothing and dirbuster reveals a directory called /test.
Going there shows just a blank index. A glance at my Workflowy list, reminds me to check the HTTP options.
curl -vX OPTIONS http://192.168.218.139/test
Looking at my cheatsheet shows a command to upload a file via curl.
curl --upload-file shell.php --url http://192.168.218.139/test/shell.php --http1.0
Using the PHP shell from Pentestmonkey, I upload my shell & set up my listener
But it actually gives back an error.
I know all too well about firewalls blocking, so I tried port 443 (because 80 was already in use by Firefox), it has to allow 443 right?
Luckily, I was right.
Time for some privilege escalation.
As always, the first thing I do is check the kernel and OS version.
However I couldn’t wget, as it wouldn’t connect, and I had to write scripts the hard way via cat >> exploit.c
I tried dirtyc0w, but it didn’t work and crashed the system. I then worked more off of my Workflowy list, which heavily includes g0tmilks guide to privilege escalation. I checked the version of chkrootkit, which showed version 0.49
Searching for an exploit for that version proved successful!
It will execute anything named “update” in the /tmp file
So, I create a simple file.
cat >> update
echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers
This adds www-data to the sudoers
Now I wait
and to the point where a few hours has gone by and I realized it’s not working. As usual, Murphy’s law applies, so I resort to my last hope: Metasploit. I don’t like using it, but I’ll have to. When I did searchsploit for chkrootkit I saw a ruby module for the exploit, so Metasploit has a module. I create my meterpreter payload
Set up the handler
Fire and forget
I then background that session and select the exploit
And now I wait some more.
Eventually I pop a root shell and cat the flag.
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually. Thanks for giving this try.