SickOS 1.2: Vuln Hub OSCP like Box Complete Walkthrough

HackRich

9 Jul 202323:24

Summary

TLDRIn this tutorial video, HackRich demonstrates a walkthrough of the sickOS vulnhub box. Starting with identifying the IP address, the video progresses through nmap scanning, searching for vulnerabilities, and exploring the HTTP service. The host then leverages the PUT method to upload a reverse shell, gaining initial access as www-data. The video dives into privilege escalation, utilizing linpeas.sh to find vectors, and successfully exploits a chkrootkit vulnerability to escalate to root access, showcasing the importance of thorough investigation in the penetration testing process.

Takeaways

💻 The video is a walkthrough of hacking the sickOS vulnhub box.
🔍 The net discover tool is used to find the IP address of the sickOS box.
🛠️ Nmap is utilized to scan for open ports and service information on the sickOS box.
🚫 No exploitable vulnerabilities were found for light HTTP using searchsploit.
🌐 The HTTP service at the sickOS IP address reveals a webpage with a conspiracy theory about antivirus companies.
🔑 Feroxbuster is employed to brute force directories on the sickOS HTTP server.
📚 The PUT HTTP method is identified as allowed for a specific endpoint, which is unusual and significant.
💡 The presenter demonstrates how to use curl to check for allowed HTTP methods on an endpoint.
📎 A reverse shell is attempted to be uploaded to the server using the PUT method, but initially fails due to an error.
🔄 After resolving the error, the reverse shell is successfully uploaded and executed, providing initial access to the server.
🔄 The linpeas.sh script is used to search for privilege escalation vectors on the compromised machine.
🔍 The script reveals a potential exploit for the Linux version running on the server.
🛠️ An exploit is compiled and transferred to the sickOS machine, but execution initially fails.
🕵️‍♂️ Linpeas suggests several exploits and CVEs that could be tried for privilege escalation.
🔄 The presenter finds a vulnerability in the chk rootkit cron job and uses it to gain root access by creating an executable 'update' file.
🎉 The video concludes with the successful gain of root access, emphasizing the importance of digging deeper and learning from the process.

Q & A

What is the purpose of the video?
-The video is a walkthrough of the sickOS vulnhub box, demonstrating the process of hacking into the system and gaining root access.
What tool is used initially to find the IP address of the sickOS box?
-The 'net discover' tool is used to find the IP address of the sickOS box.
What command is used to run a vulnerability scan on the sickOS box?
-The command 'sudo nmap -sC -sV -o -p-' is used to run a vulnerability scan and gather information about the services and OS.
Which ports were found open during the nmap scan?
-Two ports were found open: port 22 for SSH server and port 80 for HTTP service.
What is the significance of checking for vulnerabilities in the light HTTP version?
-Checking for vulnerabilities in the light HTTP version is important to identify any potential security weaknesses that could be exploited during the penetration testing process.
What method is used to brute force directories on the sickOS box?
-Feroxbuster is used to brute force directories with the '-u' flag for URL, '-w' for wordlist, and '-x' to specify file extensions.
Why is the PUT HTTP method significant in this context?
-The PUT method is significant because it is used to create a new resource or update an existing one on the server, which can be exploited to upload a reverse shell.
What error occurred when attempting to upload the reverse shell and how was it resolved?
-An error 417 'Expectation Failed' occurred. It was resolved by adding a specific flag to the curl command to handle the expectation issue.
What is the role of linpeas.sh in the process?
-Linpeas.sh is a script that helps in looking for possible privilege escalation vectors by analyzing the system for known vulnerabilities and misconfigurations.
How is the final privilege escalation achieved?
-The final privilege escalation is achieved by exploiting a vulnerability in the chk rootkit's cron job, which allows executing an 'update' file as the root user, granting sudo access to the www-data user.
What is the significance of the final step where the user becomes root?
-The significance of becoming root is that it demonstrates successful privilege escalation, giving the attacker full control over the system, which is the ultimate goal in a penetration test.

Outlines

00:00

🔍 Initial Reconnaissance and Nmap Scan

The script begins with the host, HackRich, introducing a walkthrough of the sickOS vulnhub box. The first step is to discover the IP address of the sickOS box using the net discover tool. The IP address of the Kali Linux box is also revealed for reference. A subsequent nmap scan is performed to identify open ports and services, revealing port 22 for SSH and port 80 for HTTP service, both running light HTTP version 1.4.28. A searchsploit check finds no vulnerabilities for this version. The script then proceeds to visit the HTTP service and attempts to brute force directories using feroxbuster, but no significant findings are made.

05:02

📚 Exploring HTTP Methods and Uploading a Shell

In this section, the script delves into the HTTP methods allowed for a particular endpoint, discovering that the PUT method is enabled. The host explains the typical uses of GET, PUT, and DELETE methods. An attempt is made to upload a reverse shell using curl with the PUT method, but an error 417 expectation failed is encountered. After researching the error, a solution is applied, and the shell.php is successfully uploaded to the server. The script then sets up a listener and attempts to execute the shell, but initially fails, possibly due to a firewall. The host then decides to use port 443, the default for HTTPS, to bypass this issue and successfully gains a shell, establishing initial access to the server.

10:03

🚀 Privilege Escalation and Linpeas Analysis

After gaining initial access, the script focuses on escalating privileges. The host upgrades the shell using a Python one-liner and changes the command line color for clarity. The linpeas.sh script is transferred to the compromised machine to search for possible privilege escalation vectors. The script identifies the Linux version and suggests a high probability of a privilege escalation vector. An exploit search for the specific version is conducted, but the host finds that the server version is older than the vulnerable versions. The script is compiled and transferred to the sickOS machine, but execution fails due to missing headers. After resolving compilation issues, the binary is transferred again, but execution still fails, prompting further analysis using linpeas results.

15:11

🔧 Exploiting chkrootkit Vulnerability for Root Access

The script identifies a vulnerability in the chkrootkit cron job, which is a security tool that searches for rootkit signatures. The linpeas script suggests that a version of chkrootkit has a local privilege escalation vulnerability. The host searches for and finds an exploit for this vulnerability, compiles it, and transfers it to the sickOS machine. The exploit requires creating an executable file named 'update' in the temp directory, which, when executed by the root user via the cron job, grants sudo access to the www-data user without a password. The host creates the 'update' file, makes it executable, and waits for the cron job to execute it, successfully granting root access.

20:20

🎉 Gaining Root Access and Conclusion

The final part of the script describes the successful exploitation of the chkrootkit vulnerability, which grants the www-data user sudo access without a password. The host verifies this by running 'sudo -l' and then uses 'sudo su' to gain root access. The script concludes by reflecting on the privilege escalation process, emphasizing the importance of understanding tools like chkrootkit and the value of digging deeper when using tools like linpeas. The video ends with a prompt for viewers to like, subscribe, and stay tuned for more content.

Mindmap

Keywords

💡sickOS vulnhub box

The 'sickOS vulnhub box' refers to a virtual machine created for the purpose of practicing penetration testing and ethical hacking. It is a part of VulnHub, a platform that provides various vulnerable systems for security enthusiasts to test their skills. In the video, the presenter is conducting a walkthrough of this specific box, demonstrating the process of identifying vulnerabilities and exploiting them to gain access.

💡net discover

Net discover is a command-line tool used for network discovery, which helps in identifying active hosts on a local network. In the context of the video, the presenter uses 'net discover' to find the IP address of the 'sickOS box', which is the first step in the penetration testing process.

💡nmap

Nmap, or Network Mapper, is a security scanning tool used to discover hosts and services on a computer network, thus creating a 'map' of the network. It can also be used to identify open ports, running services, and their versions. In the video, 'nmap' is utilized to scan the 'sickOS box' to find open ports and gather information about the services running on those ports.

💡SSH server

SSH, or Secure Shell, is a cryptographic network protocol for operating network services securely over an unsecured network. An SSH server is a program that allows secure connections to a computer. In the video, port 22 is identified as an SSH server, which is a common port for such secure connections.

💡HTTP service

HTTP, or Hypertext Transfer Protocol, is the foundation of data communication for the World Wide Web, and an HTTP service refers to a server that responds to HTTP requests. In the video, port 80 is found to be running an HTTP service, indicating a web server is available for interaction.

💡searchsploit

Searchsploit is a tool that comes with the Exploit Database, allowing users to search for and use known exploits from the database. In the video, the presenter uses 'searchsploit' to check for any known vulnerabilities associated with the version of the light HTTP server found during the nmap scan.

💡feroxbuster

Feroxbuster is a command-line tool designed for brute-forcing directories and files on web servers. It is used to find hidden resources behind a web server. In the video, 'feroxbuster' is used to brute force directories on the 'sickOS box' to discover more about the web server's structure.

💡reverse shell

A reverse shell is a technique used in penetration testing where a command shell session is opened on the attacker's machine, with the connection coming from the target machine. In the video, the presenter attempts to upload a 'reverse shell' script to the 'sickOS box' to gain a shell session on the attacker's machine.

💡linpeas.sh

Linpeas is a script that checks for possible privilege escalation vectors on Linux systems. It is used to enumerate the system and find potential weaknesses that could be exploited to gain higher privileges. In the video, 'linpeas.sh' is transferred to the 'sickOS box' to run and identify possible privilege escalation opportunities.

💡privilege escalation

Privilege escalation refers to the act of exploiting a bug, vulnerability, or configuration weakness in a system that allows an attacker to gain higher access rights or privileges than they originally had. In the video, the presenter is looking for ways to escalate privileges from the 'www-data' user to 'root', the highest privileged user on a Linux system.

💡cron job

A cron job is a scheduled task in Unix-like operating systems that runs scripts or programs at specified times or intervals. In the video, the presenter discovers that 'chk rootkit' is scheduled as a cron job, which is later exploited to gain root access by creating a malicious 'update' file.

💡chk rootkit

Chk rootkit is a security tool designed to scan a system for rootkit signatures, which are hidden software that gives the attacker unauthorized access to the system. In the video, a vulnerability in 'chk rootkit' is exploited by creating an 'update' file in the temp directory, which is executed by the cron job, leading to privilege escalation.

Highlights

Introduction to the walkthrough of the sickOS vulnhub box.

Using net discover to find the IP address of the sickOS box.

Running nmap to scan open services and version information.

Identification of open ports 22 (SSH) and 80 (HTTP) on sickOS.

Checking for vulnerabilities in light HTTP using searchsploit.

Visiting the HTTP website to gather initial information.

Using feroxbuster for directory brute forcing.

Discovery of the PUT HTTP method allowed on a particular endpoint.

Attempting to upload a reverse shell using the PUT method.

Encountering and resolving a 417 Expectation Failed error.

Successfully uploading the shell.php to the server.

Setting up a listener and executing the PHP script for a shell.

Gaining initial access to the server as the www-data user.

Upgrading the shell with a Python script for better interaction.

Transferring linpeas.sh for privilege escalation analysis.

Analyzing the system with linpeas.sh for potential exploits.

Finding a potential privilege escalation vector in the Linux version.

Compiling and executing an exploit for privilege escalation.

Utilizing the chk rootkit vulnerability for privilege escalation.

Successfully gaining root access by exploiting chk rootkit.

Conclusion emphasizing the learning aspect of the process.

Transcripts

00:00

hi there this is HackRich welcome back to my channel so this video going to be a

00:05

walkthrough of sickOS vulnhub box and without wasting any time let's get started [Music]

00:13

so let's first find out the IP address of sickOS box using net discover tool so first let me

00:30

find out the IP address of this Kali box sorry it's a config so this is the IP address clear

00:40

sudo net discover IP addresses this hit enter

00:52

yeah this is the IP address of sickOS box you can cross verify it using this Mac address

00:57

so copy this IP address

01:00

so let's run the nmap scan to find out what are the services open on this box sudo nmap -sC to

01:10

run the vulnerability scanning script -sV to find out the version information of the service -o to

01:17

find out the OS information -p- to scan all the port and IP address of sickOS box 192.168.29.98

01:29

hit enter

01:33

so looking into nmap result there are two Port open one is port 22 which is

01:38

SSH server and another one is Port 80 which is HTTP service and we also have the version

01:44

information of light HTTP we can definitely look into searchsploit to check whether this

01:50

particular version has any vulnerability or not so let's check that right now searchsploit no result

02:02

okay denial of service, code execution but it is 1.4.15 ours is 1.4.28 okay nothing interesting and

02:14

this is Linux box let's visit this HTTP website copy this IP address paste it here hit enter

02:25

what if computer viruses are really made by the antivirus software companies to make money

02:31

so let's look into the page source okay nothing in here okay fine so let's brute force the directory

02:39

copy the URL so let's use feroxbuster

02:49

-u URL -w specify the word list

03:02

-x to specify the extension file extension txt and PHP,HTML hit enter

03:15

okay so this is index.php I think this is home page only copy this

03:27

yeah this is home page

03:31

and copy this

03:37

parent directory okay

03:42

nothing interesting

03:46

here there is a disclosure of version of light http

03:53

other than that nothing interesting

03:57

so let's use different word list let's use small.txt

04:06

no same thing let's use Big.txt

04:34

okay nothing interesting so after doing little bit research on this website for this particular

04:41

endpoint PUT HTTP method is allowed why is this important usually GET method is used to retrieve

04:49

the data from the server and PUT method is used to create a new resource or update the existing

04:56

resource in the server and DELETE method is used to delete the resource from the server

05:01

and you can use the OPTIONS method find out what are the HTTP methods are allowed for

05:07

particular endpoint I will show you how to find out that copy this URL so let's use Curl curl -X

05:17

to specify the HTTP method I will specify OPTIONS and the URL hit enter you have to specify verbose

05:33

and you can see here PUT method is allowed so let's PUT the reverse shell into this folder

05:39

so this is the reversal let me open this so here I have to change the IP address so ifconfig

05:52

so this is the ip address let's copy this

06:00

yeah this is the port number and Save

06:04

so clear

06:09

-X

06:16

upload file name is reverse shell

06:23

shell not reverse shell yeah hit enter

06:30

so we got some error 417 expectation failed so let's Google this error

06:50

so

07:00

so by adding this flag we can solve this error let's copy this

07:12

hit enter

07:15

I think we successfully uploaded this shell.php to the server so let's go to the server

07:26

let's refresh the page yes we have that shell.php here right let's set up the listener so

07:38

clear this and nc -lvp yes hit enter so now click on shell.php to execute this PHP script

07:51

so let's go back

08:08

I'm not sure why we didn't get a shell in my knowledge we should get a shell or there

08:13

might be a possibility that there is a firewall sitting up there and blocking a server to connect

08:19

to random Port because this 1337 is a random Port right so let's use a well-known port for

08:26

example let's use https default Port which is 443 that might fix this issue let's see so I have to

08:35

modify the script so here I have to use 443 and save it and let's rename this to something else

08:53

443 hit enter and exit

09:07

443 hit enter so let's check whether it uploaded this script or not

09:16

yes we have that script here so let's listen to 443

09:29

click on this to execute this PHP file script

09:37

yeah we got a shell so we successfully got an initial access to the server so if I say ID

09:43

so I am WWW data right so the next step is to root this box or get the root access

09:50

right so before that let's upgrade this shell using this python code hit enter

09:56

and clear you know let's set the term environment

10:02

export

10:06

term equal to xterm

10:10

clear yeah so let's change this command line color because this white is kind of confusing

10:19

so hit enter yeah so now clear this so now let's transfer the linpeas.sh to this machine

10:28

linpeas.sh is present in my Kali box I don't know you are aware of linpeas or not linpeas is a shell

10:35

script which will look for possible privilege escalation vector so let's go to Temp folder

10:45

and so let's go to desktop

10:55

yeah this is the file I want to transfer so I will set up simple python server so what was the IP

11:05

address of this kali box I forgot just ifconfig so this is the IP address right okay so wget

11:18

http IP address of Kali box

11:25

and 8000 linpeas.sh

11:34

why it is not working yeah I think same reason uh

11:39

firewall is blocking this machine to connect to random port so let's Ctrl C

11:48

so let's Host this simple python server with the port number 443

11:59

http IP address of Kali box 443 file name then linpeas.sh

12:11

yes that was the reason so if I say ls -al so we have linpeas.sh in this machine so let's

12:19

make it as executable chmod +x linpeas.sh so let's run the script clear linpeas.sh

12:40

so if you look at here this particular Linux version is marked in a yellow

12:44

color right so that means there is a 95% chance that there is a privilege

12:49

escalation Vector so let's search in the Google to check whether is there

12:53

any exploit exist for this particular Linux version so let's copy this version

13:05

privilege escalation

13:12

so let's go to this

13:21

so this is less than 3.13.2 [Music] server is 3.11 that's fine

13:31

so let's copy the exploit

13:42

so so let's save this file in the local machine exploit.c

13:53

paste the code Ctrl X

13:57

so let's set up the simple HTTP server using python

14:06

so let's download this file

14:22

yes so there is an instruction to compile this source code

14:34

yeah here GCC source code.c and yeah this is simple right so GCC exploit.c -o exploit

14:50

okay we are getting another so let's try this let's compile this binary in this local machine

14:58

only after compiling the binary let's transfer that binary file to sickOS machine Ctrl C so GCC

15:10

exploit.c -o exploit okay we are getting some error

15:19

time is defined in the header okay we need to include this header that's

15:33

okay and compile again we are getting some error let's copy this error let's search in the Google

15:59

by compiling this flag so let's copy this

16:09

yeah we successfully compiled the binary file so let's transfer this binary file to sickOS machine

16:16

so let's set up the simple HTTP server

16:22

so same thing wget so what is IP address this is right

16:36

so let's make it as executable

16:42

and let's run the binary file

16:47

okay still we got an error cannot execute the binary file okay that's fine let's

16:53

go through the result generated by this linpeas so let's go up

17:10

yeah so so if you look at here so these are the exploits suggested by the linpeas

17:20

you can try all of this I have tried this dirtycow but I got the same error as we get

17:26

for previous exploit we tried right so let's go down you can definitely try all of this exploit

17:40

so here also some of the CVE suggested by the linpeas you can try all of this

17:51

so here linpeas listed all the weird or unexpected process run by the root user

18:03

so here lipeas listed all the cron job present in this machine so if you don't know what is

18:09

cron job using cron job we can execute the script or job on a given schedule that means if I want to

18:17

run the particular script daily or weekly I can specify in the cronjob it will run automatically

18:25

if you look at here chk rootkit also present in this cron job so chk rootkit

18:31

is a security tool which search's for rootkit Signature in the system so if you also go up

18:41

so if you look at here linpeas also suggested chk rootkit vulnerability because the problem

18:46

is some of the chk rootkit version has some vulnerability so if I check in the searchsploit

18:52

so let's clear this out searchsploit so you can see here this version of the chk rootkit

19:03

has the vulnerability of local privilege escalation so let's copy this file

19:12

yeah let's view that text file

19:19

so you can read about this exploit so we just followed a serious vulnerability in the chkrootkit

19:31

okay

19:35

so here they specify how to reproduce this bug so we have to put an executable file named update

19:44

it's an non root owner in the temp folder then run the chk rootkit okay in our case

19:52

chk rootkit present in cronjob so it will be run by the root user right so if you look at here

20:03

so the owner of the chk rootkit script is root so that means most probably this script is run

20:10

by root user so let's reproduce this vulnerability so let's clear this out

20:20

so let's create a update file in the temp directory touch

20:25

update so if I say ls -al update so we have the update file in this temp directory

20:35

so because this update file is executed by the root user so I will put the command in this update

20:41

file which will give the sudo access to this www data user without using password so equal

20:55

www data

20:59

ALL

21:04

no password

21:20

/etc/sudoers

21:32

so this is the command is responsible for giving the sudo access to WWW data

21:38

so if I hit enter if I cat update file

21:43

okay we have the command in this update file so let's make this update file executable

21:55

if I say ls -l update yeah it is executable

22:03

okay let's wait for some time so now what happens is cronjob will run that vulnerable chk rootkit

22:10

when it is ran this update file will be executed by the root user so that means it will execute

22:16

this Command right so this will give the sudo access to www data user so let's wait for some time

22:27

sudo -l yeah you can see here this www-data has a sudo access so if I say ID

22:40

so I am www-data user so now I will say sudo su

22:47

so now I am root if I say id

22:50

I am root user so we successfully gain the root access I agree that this privilege escalation

22:56

process was not straightforward because if you don't know what is chk root then you will not be

23:01

be end up with root access right but it is not that if you run the linpeas script you will get

23:07

the privilege escalation Vector sometime you have to dig deeper that is fine it's all about learning

23:12

so that is all for this video Until then stay tuned like the video and subscribe the channel

23:21

thank you

Browse More Related Video

Simple Penetration Testing Tutorial for Beginners!

All-In-One Open Source Security Scanner | Docker Image Analysis with Trivy

Metasploit For Beginners - How To Scan And Pwn A Computer | Learn From A Pro Hacker

How to install MongoDB 6 on Ubuntu 22.04 LTS Linux

Subnetting (Solved Problem 6)

Master Google Sheets with Node.js: Read & Write Data Effortlessly!

Rate This

★

★

★

★

★

5.0 / 5 (0 votes)

Related Tags

Hacking TutorialVulnhub BoxNetwork ScanningService EnumerationWeb VulnerabilityPrivilege EscalationLinux SecurityScript ExploitsCron JobRoot Access