This is a walkthrough of SickOS 1.1 found on VulnHub. The objective is to compromise the VM, gain root privileges, and find the flag. We need to treat this machine as a remote server, so we can’t use any kernel tricks here.
After booting the virtual machine, I needed to find the IP address of the box, so I did a simple ping sweep.
The IP address of the SickOS 1.1 server is 172.16.149.133. I knew this because the Kali VM IP address is 172.16.149.132. Now that I have the IP of the SickOS server I need to identify any open ports. Running a nmap scan of the host will give me the information I need to get started:
The results show that we have what looks like Squid Proxy Server open on port 3128 and SSH on port 22. Next I want to run a Nikto scan to look for any low hanging fruit. Be sure to use the “-useproxy” flag so the scan runs through the proxy.
Some interesting results return from the Nikto scan. Here we can see that the “/cgi-bin/status” portion of the site is vulnerable to ShellShock. We will use this an attack vector to exploit the server and gain access to the box. Open a second terminal window and establish a netcat listener.
Now we exploit ShellShock using curl.
After running the curl command, switch over to the terminal window that is running our Netcat listener. You should have been given a shell prompt.
Now that we have access on the box we need to gather some information. First I am going to check out the “/etc/passwd” file.
In the results we see that an account exists with the username “sickos”, a directory in “home”, and that the user has shell access on the box. Now I want to check out the “/etc/group” file for more information.
The results show that the user “sickos” is part of the “adm” group. This is indicative of the user being able to use the sudo command to access root. Armed with this info I am going to attempt bruteforce SSH to see if I can get the password. I figure I will let hydra run while I poke around the box looking for any further useful information.
I tried to get this started several times with no avail - looks like there might be something blocking it, so I am going to continue gathering information on the box. Because this server is acting as a webserver - typically web files are hosted in “/var/www,” so I am going to change to the directory and list out all files.
Here we see a directory called “wolfcms” - this contains the website and configuration files. Within the “wolfcms” dir there is a file called “config.php.” These config files typically have database usernames, passwords, and configuration settings for the website, so I am going to take a look.
In the “config.php” is a database username and password. One thing about users’ is they tend to use the same password everywhere, so let’s try using it with SSH and the “sickos” user.
The SSH username and pasword worked! Since we know “sickos” is in sudoes lets switch to “root” and see what is in the “/root” directory.
Inside the “/root” directory is the flag, cat the file out and we have completed the objective!