SickOs: 1.1 CTF Walk-Through
Attacker: Kali Linux 2016
Vulnerable Machine: SickOs1.2
VMWare Workstation 12 Player
Networking: Host-based Internal
1) Use netdiscover to find IP of the box.
Looks like my target box is located at IP 192.168.204.130. I'm going to use nmap in order to find out what ports are open on the box.
2) Use nmap to find open ports.
There are two open ports on this box. Port 22 for SSH and port 80 for a web server running lighttpd. Let me first look at what the web server has to offer.
Not much. There is nothing more offered in the page source either. I'm going to use some tools to try and find out some more information about this server.
3) Use nikto to scan web server
Nikto didn't pick up much from the web server. Let's move on to something else.
Here we go. There is a directory /test but it doesn't hold any data in it.
5) Use CURL to view OPTIONS method
Looking at the options method for the /test directory I am finally getting somewhere. Looks like I can use PUT to upload files into the /test directory.
6) Upload files
Starting with a simple text file I am able to use nmap's http-put script to upload it to the directory.
Seeing the file here in the test directory proves that I can upload files onto the server. Let's step things up with my favorite php reverse shell script.
My script has been uploaded onto the server. Let's fire up my netcat listener to catch the shell when I click on the php script.
7) Use Netcat to get a remote shell
I've got a limited shell. Since my target is in the /root directory, I'm going to need to escalate my privileges in order to get the flag.
8) OS Version
My first step when I get a limited shell into a box is to get a /bin/bash shell that I am used to. I do this with a simple python one-liner listed below.
After that I need to find out what version of the OS I am working with. Looks like it's Ubuntu 12.04 LTS.
My first step was to try some of the typical vulnerabilities that are out there for 12.04. Unfortunately none of those exploits were able to escalate my privileges. Thinking back on the first machine in this series that used a daily cron job to run an python file that could be exploited, I thought I would take a look there. My intuition paid off.
A vulnerable version of chkrootkit is being run by the daily cron job. Looking at CVE 2014-0476 at https://www.exploit-db.com/exploits/33899/ I was able to see that I could exploit this program to gain access to the flag.
10) chkrootkit Vulnerability
The vulnerability in chkrootkit requires that you create an executable file call update withing the /tmp directory of the server. When the cron job is run, the executable will be run as root. This was probably my biggest hangup when working through this machine. I tried many different executables before realizing that I knew the file name and location of the object I wanted. Therefore, I created a simple executable bash script to copy the file to the /tmp directory and change it's permissions to where all users could read it.
I had to remember to chmod +x update in order to allow the file to be run by the chkrootkit.
Since the cron job was only run daily, I used a simple command to make it run now. This run-parts command asked for a password for some parts of the job, but after skipping past entering the password, the job was able to finish.
At the end, my file was sitting in the tmp directory and I was able to open it as www-data.