SickOS 1.1 — Walkthrough
walkthrough Description from Vulnhub
This (walkthrough) CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. This vm is very similar to labs I faced in OSCP. The objective being to compromise the network/machine and gain Administrative/root privileges on them. Link: walkthrough
walkthrough As usual, I started with a simple port scan. This included script scanning, version enumeration on all ports and skipping ping probes, since we know that the machine is online. walkthrough
port scan didn’t yield much… There was an SSH service and a Squid proxy running and that was all. The following screenshot shows the used options.
After running the module, I got the following result back.
Port 80 seemed to be open, so it was time to scan the site. Nikto has the ability to scan the target behind a proxy. I used it to discover the /cgi-bin/status script that is vulnerable to shellshock.
I got excited and quickly wrote a curl command. It included a User-Agent header with the shellshock payload + Bash reverse shell, the proxy and of course the target URL. walkthrough
After running the command, I immediately got a reverse shell connection back as www-data .
Here comes the enumeration part again. I ran the famous LinEnum script and looked for credentials, but nothing unusual turned up. I noticed a Python script in the /var/www directory which was really suspicious to me.
now i had a strong feeling that this file gets executed, so I used pspy to monitor the running processes. It’s an excellent tool, you should check it out: https://github.com/DominicBreuker/pspy
The connect.py script runs periodically under the root user and the best part is that we can edit this file. I took a simple Python reverse shell and replaced the contents of the file with it. walkthrough
I didn’t have to wait long to get a connection back. This time the only difference is that I got root privileges.
