SickOS 1.2: Vuln Hub OSCP like Box Complete Walkthrough

HackRich

9 Jul 202323:24

Summary

TLDRIn this tutorial video, HackRich demonstrates a walkthrough of the sickOS vulnhub box. Starting with identifying the IP address, the video progresses through nmap scanning, searching for vulnerabilities, and exploring the HTTP service. The host then leverages the PUT method to upload a reverse shell, gaining initial access as www-data. The video dives into privilege escalation, utilizing linpeas.sh to find vectors, and successfully exploits a chkrootkit vulnerability to escalate to root access, showcasing the importance of thorough investigation in the penetration testing process.

Takeaways

💻 The video is a walkthrough of hacking the sickOS vulnhub box.
🔍 The net discover tool is used to find the IP address of the sickOS box.
🛠️ Nmap is utilized to scan for open ports and service information on the sickOS box.
🚫 No exploitable vulnerabilities were found for light HTTP using searchsploit.
🌐 The HTTP service at the sickOS IP address reveals a webpage with a conspiracy theory about antivirus companies.
🔑 Feroxbuster is employed to brute force directories on the sickOS HTTP server.
📚 The PUT HTTP method is identified as allowed for a specific endpoint, which is unusual and significant.
💡 The presenter demonstrates how to use curl to check for allowed HTTP methods on an endpoint.
📎 A reverse shell is attempted to be uploaded to the server using the PUT method, but initially fails due to an error.
🔄 After resolving the error, the reverse shell is successfully uploaded and executed, providing initial access to the server.
🔄 The linpeas.sh script is used to search for privilege escalation vectors on the compromised machine.
🔍 The script reveals a potential exploit for the Linux version running on the server.
🛠️ An exploit is compiled and transferred to the sickOS machine, but execution initially fails.
🕵️‍♂️ Linpeas suggests several exploits and CVEs that could be tried for privilege escalation.
🔄 The presenter finds a vulnerability in the chk rootkit cron job and uses it to gain root access by creating an executable 'update' file.
🎉 The video concludes with the successful gain of root access, emphasizing the importance of digging deeper and learning from the process.

Q & A

What is the purpose of the video?
-The video is a walkthrough of the sickOS vulnhub box, demonstrating the process of hacking into the system and gaining root access.
What tool is used initially to find the IP address of the sickOS box?
-The 'net discover' tool is used to find the IP address of the sickOS box.
What command is used to run a vulnerability scan on the sickOS box?
-The command 'sudo nmap -sC -sV -o -p-' is used to run a vulnerability scan and gather information about the services and OS.
Which ports were found open during the nmap scan?
-Two ports were found open: port 22 for SSH server and port 80 for HTTP service.
What is the significance of checking for vulnerabilities in the light HTTP version?
-Checking for vulnerabilities in the light HTTP version is important to identify any potential security weaknesses that could be exploited during the penetration testing process.
What method is used to brute force directories on the sickOS box?
-Feroxbuster is used to brute force directories with the '-u' flag for URL, '-w' for wordlist, and '-x' to specify file extensions.
Why is the PUT HTTP method significant in this context?
-The PUT method is significant because it is used to create a new resource or update an existing one on the server, which can be exploited to upload a reverse shell.
What error occurred when attempting to upload the reverse shell and how was it resolved?
-An error 417 'Expectation Failed' occurred. It was resolved by adding a specific flag to the curl command to handle the expectation issue.
What is the role of linpeas.sh in the process?
-Linpeas.sh is a script that helps in looking for possible privilege escalation vectors by analyzing the system for known vulnerabilities and misconfigurations.
How is the final privilege escalation achieved?
-The final privilege escalation is achieved by exploiting a vulnerability in the chk rootkit's cron job, which allows executing an 'update' file as the root user, granting sudo access to the www-data user.
What is the significance of the final step where the user becomes root?
-The significance of becoming root is that it demonstrates successful privilege escalation, giving the attacker full control over the system, which is the ultimate goal in a penetration test.