SickOs: 1.1 CTF
Attacker: Kali Linux 2016
Vulnerable Machine: SickOs1.1
VMWare Workstation 12 Player
Networking: Host-based Internal
This is my first step when researching any new system. We first need to find out the IP of the machine that we are attacking.
Now that we have our IP let's tryand find out what services are running on the box and what ports are open.
1. There is a proxy running on port 3128 using Squid Proxy 3.1.19
2. Port 22 is open for ssh using OpenSSH
3. Port 8080 is closed by the http proxy
Since it looks like there is some type of web-server running on this machine let's use nikto, an open source web server scanner to find out more about it. We are making sure to use the proxy to make the connection with nikto using the -useproxy tag.
The main thing that stands out to me with this scan is that "robots.txt" contains 1 entry that should be viewed manually. I'm going to keep that in mind as I go forward and try to connect to the web-server.
The first step to connecting to the web-server is going to be configuring my browser to connect through the proxy.
With the browser configured I can now attempt to connect using the machine IP.
Well that didn't give me much. Looking at the page source doesn't grant any more information either.
It's time to use that hint from nikto and take a look at the robots.txt file.
Looks like there is a new directory to take a look at.
The directory takes me to a service running on the web-server. It doesn't have much information posted on it but I do get a few take-aways.
1. All of the post have been created by the user account Administrator.
2. This service has just been created.
3. I need to find information about the defaults for wolfcms.
My research on wolfcms showed me that by default many of the pages have a '?' prefix. Also, there is a admin directory within wolfcms. knowing that I navigated to /wolfcms/?admin This granted me a login page.
Knowing that much of this web service is still using defaults and that there were posts made by the Administrator user, I tried the admin/admin username/password combination.
8) Upload Files
I'm in!! Navigating through the admin portal I find a page where I can upload files.
Let's see if there are any filters on file uploads to prevent .php uploads.
The service allowed me to upload a php reverse shell, now all I have to do is prepare my attacker machine to catch that shell.
9) Netcat & Shell
Using netcat I am able to listen on the port that I specified '1234'. When I run the php code on the web-server, I am granted a limited shell to the system.
Looking around the /var/www directory on the machine I find a file called connect.py. Running the python script I get the following:
Looking at the code for the python script doesn't show anything more than what is displayed. Since the code says that it runs frequently, let's look into the cron jobs and see if the script gets run by them.
11) cron job
After looking into the daily cron jobs I found that connect.py is run as the root user.
Perfect!! Since I noticed earlier that the file is able to be edited by anyone yet it is run by the root user, let's see if I can modify that script to give me a root shell.
12) Python shell
The following script is a python reverse shell script. When this script is run by the cron job, it will be run as a root user. Therefore, it will give us a root shell. The only changes that are made to the below script is that the IP 10.0.0.1 and port 1234 are changed to my attacker machine and the port I want to listen on. In the case I used port 4567.
Start listening on port 4567 with netcat. The next time that the cron job runs the python script will give you a root shell.
Soon after I started listening on my attacker machine with netcat on the specified port I am granted a root shell. From there I find the flag in the /root directory.