In this post I’m going to show you how to solve the SickOS VM provided by D4rk.
Thanks to Vulnhub for keeping me busy with all these challenges, and thanks to everyone that hosts new challenges.
This challenge involves various hacking techniques.
First step: INFORMATION GATHERING
The description provided on Vulnhub says that the machine will have an IP assigned automatically, so this is the situation:
A port scan on the victim host gives this:
I see that there’s a squid proxy running on the server and an http proxy, apart from the ssh port open.
I visit the URL http://192.168.56.105:80 through the proxy http://192.168.56.105:3128, and this is what I see:
Second step: VULNERABILITY SCAN
I start a vulnerability scan with nikto to find vulnerabilities on the website:
I also spider the website with Burp Suite and I find a hidden file robots.txt with the following content:
The URL http://192.168.56.105/wolfcms gives this:
Third Step: EXPLOITATION
The website is vulnerable to ShellShock, so I configure BurpSuite to send requests via the proxy http://192.168.56.105:3128, I setup netcat to listen on a local port 443 and then I send a command to bind a reverse shell on my local:
On local machine:
On remote machine I send a GET request injecting the reverse shell command into the User-Agent field:
and a reverse shell is on my local machine.
I spawn a shell and start wandering around, and I find a tasty informations into the /var/www/wolfcms/config.php file:
I try to use the password for the root user, but is not working, so I have a look at the /etc/passwd file and I find the user sickos.
I try to login as user sickos with the password john@123 and I’m in, and sickos is also a sudoer.
So, time to get the flag.
As usual, for any information or comment, please do not hesitate to leave a comment.