7MS #182: Vulnhub Walkthrough - SickOs

Brian Johnson -

Intro

The following is a semi-spoilerish walkthrough of the SickOs VM from Vulnhub by D4rk.

It has (as best I can tell) a sequential pwnage path, meaning that I think you could read this write-up in order and not prematurely ruin any surprises.

Disclaimer

I'm intentionally not posting a full walkthrough with all the juicy details for a few reasons:

  1. Full (and better) walkthroughs already exist online.

  2. By not posting the full details, it allows you the chance to get just a little push in the right direction without ruining the entire challenge.

  3. I like to show my full thought process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)

Write-up

An NMAP scan revealed port 22 open, so I started brute-forcing that just for fun :-). There's a secondary port open which, open exploration, looked to be a proxy of sorts that I could use for deeper scanning.

At this point, the next bit of recon required learning how to pipe various tools through the proxy to get clean results. By using a combination of vulnerability scanners and Web crawlers, I discovered additional content pointing to several possible attack vectors. One was a packaged content management system that looked to have some weaknesses if a valid account was available.

However, I went with what looked to be the path of least resistance - a published vulnerability with a fairly straightforward exploit path. However, I failed at using Metasploit through a proxy, so I tried another URL-fetching tool with some proxy settings and that got me my initial shell.

With the initial shell I went back through the content management system and discovered a key username/password combination in one of the system files. I tried to use it to sudo as a local account but the creds failed. However, after enumerating the users actually residing on the system, the username/password combination still proved to be of value.

From there, there was only one step left to getting root. After running privesc scripts and looking for other kernel-level exploits or advanced attacks, I went back to enumerating the basics. Then the answer was easy - and right in front of me :-)