{"id":109,"date":"2017-04-22T03:08:16","date_gmt":"2017-04-22T03:08:16","guid":{"rendered":"http:\/\/kibilogic.com\/?p=109"},"modified":"2017-04-22T14:36:10","modified_gmt":"2017-04-22T14:36:10","slug":"sickos-1-1-vulnhub-challenge","status":"publish","type":"post","link":"https:\/\/kibilogic.com\/?p=109","title":{"rendered":"Sickos 1.1 – vulnhub challenge"},"content":{"rendered":"

After reading quite a few OSCP <\/a>reviews, I have decided that I should take some time and start plugging away at some challenges. OSCP is a hands-on certification unlike the other certs out there, and I feel like I should immerse myself into preparing as much as I can before I sign on for it. <\/p>\n

I\u2019m setting a goal of a minimum of 10 vulnhub<\/a> challenges before I make the plunge with the expectation that I will do considerably more than the minimum. <\/p>\n

The OSCP does not necessarily make any assumptions or require any experience but I\u2019ve read enough and heard first hand that it is not a \u201cwalk in the park\u201d and with a mantra of \u201ctry harder\u201d when you hit a bump in the road, I want to at least start off with some challenges beforehand.<\/p>\n

I start things off with sickos 1.1 and these are my notes. The final part of OSCP is a writeup, so for each challenge I do, I plan to conclude with a writeup. <\/p>\n

This is all about preparing for the OSCP.<\/p>\n

Here goes.<\/p>\n

————–<\/p>\n

The first thing I do is find the machine on my network. <\/p>\n

nmap -sS -O 192.168.1.0\/24<\/p>\n

\"\"<\/a><\/p>\n

Found the machine, now I need to know more about the software and versions.<\/p>\n

nmap -A -T4 -p- 192.168.1.4<\/p>\n

\"\"<\/a><\/p>\n

At this point, I use nikto to see if it can help with identifying known vulnerabilities. <\/p>\n

nikto -h 192.168.1.4 -useproxy http:\/\/192.168.1.4:3128<\/p>\n

\"\"<\/a><\/p>\n

Great, I know that OpenSSH (port 22) and Squid HTTP Proxy (port 3128) are running and the OS is a version of linux (3.2 -4.4)<\/p>\n

There is also a robots.txt file and a possible shellshock vulnerability in \/cgi-bin\/status.<\/p>\n

First thing I look at is the robots.txt file<\/p>\n

I configure the browser (ice weasel) to use manual proxy 192.168.1.4 port 3128<\/p>\n

Then navigate to 192.168.1.4\/robots.txt in the browser.<\/p>\n

\"\"<\/a> <\/p>\n

I see there is a reference to wolfcms and I navigate to 192.168.1.4\/wolfcms in the browser.<\/p>\n

\"\"<\/a><\/p>\n

I have no idea what wolfcms is or does but I see things are posted by the Administrator.<\/p>\n

I do a google search \u201cwolf cms admin\u201d and the first thing to pop up is this:<\/p>\n

\"\"<\/a> <\/p>\n

I immediately find that there are a couple of suggestions related to getting the admin link, \/admin and \/?admin. <\/p>\n

I try both and turns out that the \/?admin worked. <\/p>\n

I now have the admin login page<\/p>\n

\"\"<\/a><\/p>\n

The username and password default password was admin\/admin\u2026this was a guess based on the information and multiple warnings about changing the admin password.<\/p>\n

\"\"<\/a><\/p>\n

The admin:admin works and I browse through all four tabs. <\/p>\n

I notice that in the final “files” tab (green tab) it allows for uploading files. <\/p>\n

\"\"<\/a><\/p>\n

Wolfcms runs php and I have upload access. Let\u2019s see if I can some how get a reverse shell. <\/p>\n

Using metasploit is my first thought but from what I read the OSCP cert provides limitation for using it. <\/p>\n

I need to do as much without metasploit. I don’t want to handicap myself. <\/p>\n

So, a script it is.<\/p>\n

I go with php-reverse-shell, a script that can be uploaded to a web server running php.\u00a0<\/p>\n

The script opens an outbound TCP connection from the webserver to a host and port of your choice and bounds to the TCP connection for an interactive shell. <\/p>\n

Using Pentestmonkey\u2019s php-reverse-shell<\/a>, I upload the file and make the necessary changes as indicated (“CHANGE THIS”). <\/p>\n

I only changed the ip address to my (attacker) machine, I left the port as 1234.<\/p>\n

\"\"<\/a> <\/p>\n

I changed the permissions on the php file from 644 to 777 for everyone.<\/p>\n

\"\"<\/a><\/p>\n

On my machine, I set up netcat to listen for a connection<\/p>\n

nc -lvp 1234<\/p>\n

I searched to see where the php file was uploaded.<\/p>\n

find . -name php-reverse-shell.php <\/p>\n

I run the reverse-shell script by navigating to its location in the browser<\/p>\n

\"\"<\/a> <\/p>\n

That works. <\/p>\n

\"\"<\/a><\/p>\n

I\u2019m in, now I start looking into how I might escalate the privileges<\/p>\n

I check for other user accounts on the machine<\/p>\n

\tcat \/etc\/passwd<\/p>\n

\"\"<\/a><\/p>\n

I check to see if there are any interesting files (configuration, php, etc) related to wolfcms.<\/p>\n

Generally, the root directory for web servers is located in the \/var\/www directory. <\/p>\n

\tls -l \/var\/www
\n ls -l \/var\/www\/wolfcms<\/p>\n

\"\"<\/a><\/p>\n

I check to see what services are running as root<\/p>\n

ps aux | grep root<\/p>\n

I check to see what applications are installed.<\/p>\n

\tls -alh \/usr\/bin<\/p>\n

I check to see if there are any cron jobs scheduled<\/p>\n

\tcrontab -l
\n\tls -al \/etc\/ | grep cron<\/p>\n

After enumerating these things, I focus on the users “root” and “sickos”.<\/p>\n

From listing the services I know that ssh is available.<\/p>\n

One of the interesting files in the \/var\/www\/wolfcms directory ended up being a config.php with what appeared to be login information<\/p>\n

\"\"<\/a><\/p>\n

Armed with this information, I tried to ssh in from my machine.<\/p>\n

ssh root@192.168.1.4 didn\u2019t work<\/p>\n

But ssh sickos@192.168.1.4 did with the password john@123<\/p>\n

\"\"<\/a><\/p>\n

I quickly check to see if the user “sickos” has sudo privileges<\/p>\n

\tsudo -l<\/p>\n

Yep, feeling excited. I logged in as root.<\/p>\n

\tsudo -s<\/p>\n

\"\"<\/a><\/p>\n

And with that, I navigated to the \/root directory and viola!<\/p>\n

\"\"<\/a><\/p>\n

I went with the lowest hanging fruit but considering that there is a shellshock vulnerability, I’m guessing that is another path. I also found a connect.py file that could be yet another option. But this worked first. I will plan to revisit this again at some time to see where the others lead. <\/p>\n","protected":false},"excerpt":{"rendered":"

After reading quite a few OSCP reviews, I have decided that I should take some time and start plugging away at some challenges. OSCP is a hands-on certification unlike the other certs out there, and I feel like I should immerse myself into preparing as much as I can before I sign on for it. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-109","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"bridgette","author_link":"https:\/\/kibilogic.com\/?author=1"},"uagb_comment_info":9,"uagb_excerpt":"After reading quite a few OSCP reviews, I have decided that I should take some time and start plugging away at some challenges. OSCP is a hands-on certification unlike the other certs out there, and I feel like I should immerse myself into preparing as much as I can before I sign on for it.…","_links":{"self":[{"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/posts\/109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kibilogic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=109"}],"version-history":[{"count":36,"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/posts\/109\/revisions"}],"predecessor-version":[{"id":139,"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/posts\/109\/revisions\/139"}],"wp:attachment":[{"href":"https:\/\/kibilogic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kibilogic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kibilogic.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}