SickOS 1.1 Walkthrough
SickOS is a Vulnhub machine created by D4rk and can be downloaded at the following link: https://www.vulnhub.com/entry/sickos-11,132/
The first thing I decided to do was find my own IP address, which was 10.0.2.15, I did this so that I could figure out the the subnet mask and the network ID so that I could conduct a scan.
Next, I conducted a scan with the information I had just learned the tool netdiscover:
#netdiscover -r 10.0.2.0/24 -i eth0
From here I was able to understand that the IP address of the SickOS machine was either 10.0.2.3 or 10.0.2.4, I understand this because I know that the first two IP addresses are used by VirtualBox. I then decided to try out 10.0.2.4 first because it was the last one detected.
I then conducted an nmap SYN scan with a higher time template so that I can get my scan results back faster and to my luck, my guess was correct. The IP address of the host was 10.0.2.4.
After running the first scan, I felt I did not have enough information to continue, so I ran an nmap scan again with the following command:
#nmap -v -A 10.0.2.4
That way I could grab more information about the host that I am attacking.
After realizing that http-proxy server had been setup on port 3128, I decided to access the webpage.
After receiving this page, I honestly ran into a dead end. There was nothing in the source code to suggest any vulnerabilites, so I decided to try my old friend robots.txt
And to my surprise, I realized the extension /wolfcms. And after typing into the url:
This was what displayed.
After crawling around for a bit, I found the following page.
Next, I came across an important hint, that suggested that a user has the name Administrator and that a portal might be present to edit the site.
After doing a quick google search I realize that Wolf CMS has an online portal and after typing the URL:
I was redirected to the the following site.
At first I tried the login information of administrator, admin, but this didn't work, so instead I tried admin, admin, and it worked! I don't know however what the /?/ means after the /wolfcms/, so I am hoping it doesn't prevent any exploitation.
I now decide that my best chance of gaining root access would be to exploit a file upload and hope to gain a reverse shell. However, I am still uncertain if the /?/ will have any affect, hopefully it won't!
After creating a simple php script that attempts to connect to my IP address with the open port of 9000, I then go back to the web portal in hopes of uploading this file.
Well it turns out that Wolf CMS has an entire public directory available from where it pulls the information for the websites from. After finding the upload file button and choosing the images directory, as I assumed that images directory would be less likely to have file extension filtering, I begin the upload process.
My file uploaded successfully! I then decided to access this path after logging out of the portal, in an attempt to hopefully run the script.
Before I run the script though, it is important that I set my computer to begin to listen for any attempted connections, that way the connection can be successfully made.
I now have a reverse shell on the server, but now I just need to find a way to exploit and gain root access.
Next, I then decided to search throughout the files of the server, to try and piece together any information that could help me gain root access. Well, it turns out that the website runs an SQL database and after examining the config.php file, I find the database username and password.
I then try and escalate my privileges in an attempt to gain root access, but it turns out that I must run the command through the terminal. I am not too certain what exactly that means, so instead I try to access the /etc/passwd file to check my permissions.
After receiving the the file output I noticed that two login accounts work, one for root and one for sickos. After, I then disconnected, as I assumed that I must have just connected incorrectly and began the session again as I was unable to switch users. However, after doing some research, I learned that I was incorrectly spawning the shell, so I decided to use python to help spawn a shell with TTY so that I can interact with the system properly.
And as expected, the command to change users worked, and to my surprise the Database password was also the password for the sickos user!
After searching around for a bit in the root directory I find this message