SickOS 1.1 Walkthrough
Attacking Machine : Linux kali 4.3.0-kali1-amd64
Vulnerabile Mahine: SickOS1.1
- Download (Mirror): https://download.vulnhub.com/sickos/sick0s1.1.7z
- Download (Torrent): https://download.vulnhub.com/sickos/sick0s1.1.7z.torrent
Started scan with netdiscover command for live host in my network.
We could see three IPs are detected by netdiscover including gateway and default address.
So our target would be 192.168.37.129.
Run the nmap to detect what are the services running on the machine.
nmap -sS -sV -T4 -A 192.168.37.129
Nmap scan returns ssh and proxy port information.
By looking into port 3128 we know that a webserver is running and it can be accessible with port proxy.
Configure the local browser proxy to access the web page.
We are all set to access the webapplication. Now run the nikto to detect whether any vulnerabilities present on this application or not.
nikto -h http://192.168.37.129:3128 -o out -F html
We found that rebotx.txt is present and found Wolfcms directory is present.
Navigate to wolfcms directory, it landed to Wolf cms application.
By doing some research on the web I found the admin page location for cms application and default user name and password.
With default user name and password I could able to login to administrator account for Wolf application. By visiting the files tab in the application “Upload file” function is available in public directory to upload any file.
I have created c99 shell in attacking machine and uploaded with “Upload file” option.
To launch the shell, navigate to public directory and launch the shell.php which returns web shell.
Using web shell we can list the directories and navigate the directories. When I navigate one directory up I found config file.
Config file disclose the root password for mysql. I have navigated to etc directory and found passwd text in read permissions. This file can be downloaded with web shell.
By analyzing the password we know that “sickos” is one of valid use with bash shell.
I tried to login sickos user with password found in the config file and succeeded.
Having a limited user access I have ran the sudo -l command to know what are the other commands sickos user can run.
Interestingly sickos user can run all commands 🙂
Connect the root user with sudo -s and I have loged to root user account without a password.