SickOS1.2 Walkthrough
SickOS was at the time of this writing the latest and greatest VM in Vulnhub. I had earlier pursued this vm to prepare myself for PWK while I was still waiting for my turn in the labs and decided recently to do my writeup for how I got in.
You can find the VM here: https://www.vulnhub.com/entry/sickos-12,144/
First we start with an nmap scan and get 2 open ports, SSH and HTTP (22 and 80).
I decided to start by poking port 80 first. Visiting the webpage we get presented with an image of Keanu Reeves! Next I decided to run a Dirb and see what else was in there. Lo and behold a "test" directory!
Visiting the test directory we get presented with an empty directory. My thirst thought is, if that directory is writeable and PUT is enabled on this webserver, I could upload arbitrary PHP files to gain a shell!
Running curl -X OPTIONS -vv doesn't return available options so I decide to go through them 1 by one. First I try -X PUT and see if that works, which it does without error! Now lets try -X PUTF and see how that works out, and it fails, which means we are getting expected behavior and PUT seems enabled after all!
Next I did some research and found with the -T option you can upload files with Curl to writeable directory using PUT. First attempt fails with some strange error.."Expectation Failed"
I did some research and found that what's happening is that this webpage seems to work only with HTTP1.0 and curl seems to be using HTTP1.1. Doing some research I found this page http://www.xinotes.net/notes/note/1881/ which suggests the -0 flag uses HTTP1.0, and success! Our file was uploaded and we have RCE!
Now this next part was a bit tricky. I tried a php rshell script and used my cmd.php RCE script to make a connectback and nothing seemed to work. I thought maybe the firewall was blocking port 444 (which is the port I was using) and decided to try a port that is more likely to be open, such as 80 or 443 for visiting webpages. Changing ports around is successful and we have shell!
I am in as the www-data user it seems. I do some quick enumeration and don't see anything too obvious at first. No obvious vulnerable running processes and at the time a kernel exploit didn't seem to exist. Digging deeper I decided to hit the logs and see if any sensitive logs were misconfigured, and uh oh! Seems like syslog is world readable, lets see what's going on.
Looks like there's a crontab running a chkrootkit program every so often.
Interesting...at this point I was baffled for about a day, as it didnt seem /usr/bin/chkrootkit was world writeable and this is what cron was executing. After a while I decided to search for chkrootkit exploits and found this exploit in edb https://www.exploit-db.com/exploits/33899/. Checking the program since it is at least readable we find that it seems that 'file_port=$file_port $i' is missing quotations as is required by the exploit, meaning we have a vulnerable program!
To exploit this vulnerability we simply have to create an exuctable file named 'update' in /tmp, chkrootkit will execute this as root and give us root code execution! I decide to create an 'update' script with the following code:
#!/bin/bash
chmod u+s /bin/dash
This makes /bin/dash setuid and since root owns it root will run it meaning we should get root by running it after the setuid bit is set! Now we just wait for the script to run, according to the syslog it should be in about 1 minute. After about 1 minute we pope an ls -alh /bin/dash and the setuid bit seems set! I run /bin/dash and huzzah, we are root!
Thanks to D4rk for this fun machine to help me prepare for PWK!