This post describe the necessary steps to gain root in SickOS 1.1 available on Vulnhub. This box, according to the autor D4rk (https://twitter.com/D4rk36), is similar with the machines in the OSCP labs.
Machine Name: SickOs: 1.1
Resource URL: https://www.vulnhub.com/entry/sickos-11,132/
Summary
To obtain administrative access in this box, the follow kill chain have been executed.
- Services enumeration identified an open proxy service open, allowing pivoting the traffic to local interfaces in the target.
- Enumeration of available services in the target local interface(127.0.0.1), identified an web server running a CMS.
- Default credentials were used to obtain administrative access on the management console of CMS, allowing remote command execution trought a webshell inserted in a edited page at CMS.
- At the privilage escalation step, a enumeration of services and routines identified a cron routine which execute a script under root privileges. The script file is writable, allowing the insertion of malicious code to run under root privileges.
WriteUp
Recon
During the recon step, it was possible to identified the service Squid/3.1.19 (https://en.wikipedia.org/wiki/Squid_(software)) running at port 3128/TCP as open proxy.
The open proxy configuration allowed the enumeration of internal services. Pivoting the traffic trought the open proxy, it as possible to identified the 80/TCP port has a web service available.
It was possible to interact with the web application at port 80/TCP. The recon against the web application identified a robots.txt file which revelead the web application WOLFCMS (https://github.com/wolfcms/wolfcms).
To access the web page for the target service, a configuration has made in the attacker web browser, the ip address of the open proxy has setup, allowing a better interaction with the target.
Exploitation
The administrative access to WOLFCMS management console, located at http://192.168.1.101/wolfcms/?/admin/login, was gotten trought a bruteforce attack, identifying default credentials, username admin and password admin.
The administrative access allowed the attacker to edit pages from the CMS. A malicius code has been insert in the application page to execute system commands trought PHP code.
The execution of commands through the web shell allowed the attacker to download a reverse shell writed in python to obtain a TTY shell in the target system.
Privilege Escalation
During the privilege escalation step, it was possible to identify a cron routine at /etc/cron.d/automate. This routine execute ever minute with root privileges the script located at /var/www/connect.py has permissive permissions enabling the attacker to alterate the content and when the routine execute, an administrative shell is obtained
Due to write permissions on this file, it was possible to change its content and establish a new reverse connection with the administrator user.
Since the /var/www/connect.py script is executed every minute, after its change, it was possible to gain access through a reverse connection with a uid 0 shell and obtain the flag.
Conclusion
This box is pretty fun because of Open Proxy and pivoting technique, is a straight for hack, real world like.
Computer Addicted 