7MS #197: Vulnhub Walkthrough - SickOS 1.2

Intro

The following is a semi-spoilerish walkthrough of the SickOS 1.2 VM from Vulnhub by @D4rk36.

Disclaimer

I'm intentionally not posting a full walkthrough for a few reasons:

  1. Full (and better) walkthroughs already exist online.

  2. By not posting the full details, it allows readers the chance to get just a little push in the right direction without ruining the entire challenge.

  3. I like to show my full thought process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)

Write-up

An NMAP scan will reveal port 22 and 80 open. I think it's fun just to load up hydra or another similar tool to bang on brute-forcing SSH while I explore other attack paths.

If you open the Web page on port 80, there's an awesome Keanu Reeves image with a meme about antivirus companies creating viruses to justify their own software. I did a dirb to find a subfolder to explore further. But it didn't produce any hot leads.

Whenever I get stuck like this, I'm reminded that I should slow down and back up to do further Web services enumeration. Use Nikto and other tools to figure out if the server is misconfigured in ways that could lower its security.

In doing this enumeration, it becomes apparent that the server will allow the uploading of files. Now I'm still trying to figure out the best Web shell(s) to use in situations like this, but a friend recommended I try b374k which you download and then compress into a single .php file with something like (this is not a spoiler - it's in the readme):

php -f index.php -- -o myShell.php -p APasswordIPick -s -b -z gzcompress -c 9

Then you can upload it with curl or another similar tool. Once uploaded, you can hit the .php file, enter your password, and get a really nice interactive Web shell that lets you upload/download files, get system info really quickly and easily, and even drop to a command prompt. From here, I found some users to go after in /etc/passwd so I adjusted my hydra attempts accordingly.

After searching around the system for a LONG time and coming up empty, I cheated and looked at another walkthrough for help. In doing so I came across a valuable tip: always check what cron jobs are running and also check what package versions are running in those commands. To do that:

dpkg -l | grep name-of-package-here

From there, my understanding is there are several paths to escalation/pwnage, but I leveraged a package + a cron job to add myself to sudoers file. Then it was game over!