{"id":705,"date":"2019-12-14T16:02:57","date_gmt":"2019-12-14T16:02:57","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=705"},"modified":"2020-03-28T09:54:13","modified_gmt":"2020-03-28T09:54:13","slug":"sickos-1-1-walkthrough","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/sickos-1-1-walkthrough\/","title":{"rendered":"SickOS 1.1 \u2014 Walkthrough"},"content":{"rendered":"
\n
\n
\n
walkthrough Description from Vulnhub<\/h5>\n
This (walkthrough) CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. This vm is very similar to labs I faced in OSCP. The objective being to compromise the network\/machine and gain Administrative\/root privileges on them.\r\nLink: walkthrough<\/pre>\n
https:\/\/www.vulnhub.com\/entry\/sickos-11,132\/<\/a><\/p>\n<\/div>\n<\/div>\n<\/section>\n
\n
\n
\n
walkthrough As usual, I started with a simple port scan. This included script scanning, version enumeration on all ports and skipping ping probes, since we know that the machine is online. walkthrough<\/h5>\n
\n
\n
\n
\n
\n
<\/div>\n
\"walkthrough\"<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n
port scan didn\u2019t yield much\u2026 There was an SSH service and a Squid proxy running and that was all.\u00a0 The following screenshot shows the used options.<\/p>\n<\/div>\n<\/div>\n
\n
\n
\n
\n
\n
\n
\n
\n
<\/div>\n
\"walkthrough\"<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
After running the module, I got the following result back.<\/p>\n
\n
\n
\n
\n
\n
<\/div>\n
\"walkthrough\"<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n
Port 80 seemed to be open, so it was time to scan the site. Nikto has the ability to scan the target behind a proxy. I used it to discover the\u00a0\/cgi-bin\/status<\/code>\u00a0script that is vulnerable to shellshock.<\/p>\n<\/div>\n<\/div>\n
\n
\n
\n
\n
\n
\n
\n
\n
<\/div>\n
\"walkthrough\"<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
I got excited and quickly wrote a\u00a0curl<\/code> command. It included a User-Agent header with the shellshock payload + Bash reverse shell, the proxy and of course the target URL. walkthrough<\/p>\n
\n
\n
\n
\n
\n
<\/div>\n
\"walkthrough\"<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n
After running the command, I immediately got a reverse shell connection back as\u00a0www-data<\/code>\u00a0.<\/p>\n
\n
\n
\n
\n
<\/div>\n
\"walkthrough\"<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n
Here comes the enumeration part again. I ran the famous\u00a0LinEnum<\/em>\u00a0script and looked for credentials, but nothing unusual turned up. I noticed a Python script in the\u00a0\/var\/www<\/code>\u00a0directory which was really suspicious to me.<\/p>\n
now i had a strong feeling that this file gets executed, so I used pspy<\/code>\u00a0to monitor the running processes. It’s an excellent tool, you should check it out:\u00a0https:\/\/github.com\/DominicBreuker\/pspy<\/a>\u200b<\/p>\n<\/div>\n<\/div>\n
\n
\n
\n
\n
\n
\n
\n
\n
<\/div>\n
\"walkthrough\"<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
The connect.py<\/code> script runs periodically under the root user and the best part is that we can edit this file. I took a simple Python reverse shell and replaced the contents of the file with it. walkthrough<\/p>\n
\n
\n
\n
\n
\"walkthrough\"<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n
I didn\u2019t have to wait long to get a connection back. This time the only difference is that I got root privileges.<\/p>\n
\n
\n
\n
\n
<\/div>\n
\"walkthrough\"<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/section>\n
Watch Out: Android Apps in Google Play Store Capitalizing on Coronavirus Outbreak<\/a><\/h4>\n","protected":false},"excerpt":{"rendered":"
walkthrough Description from Vulnhub This (walkthrough) CTF gives a clear analogy how hacking strategies can be performed on a network<\/p>\n","protected":false},"author":1,"featured_media":706,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[487],"tags":[],"yst_prominent_words":[120,703,711,707,559,706,700,695,704,698,701,694,699,697,696,702,710,709,708,932],"class_list":["post-705","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=705"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/705\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/706"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=705"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}