Posted in Penetration Testing, web app testing

Sick OS 1.1 Vulnhub VM

Hosted by Vulnhub
Author: D4rk36

Thank you!


 

I do more in depth nmap scans than the usual I post here, however, the finished article is usually the one the yields the most straightforward results.

I’m using VMware Player 12 with NAT networking.

nmap -sS 192.168.187.135 -A

nmap_Sick

I’ve highlighted the ports of interest here. A proxy setup I actually use in my job so it was a little odd to see it in a VM. In order for you to see any websites in this set up we need to point our browser to the IP address and port 3128.

proxy

Once we visit the web page of the Sick OS 1.1 server we get this.

bleh

Not very helpful. Viewing source is a waste of time as there’s nothing there. I ran a dirb scan and found a /robots.txt file.

http://192.168.187.136/robots.txt

robots_sickOS

Oh what do we have here? A /wolfcms directory? Don’t mind if I do.

wolfCMS

I’ve used various content management systems in my time, however, navigating around the site always helps to get a feel for how it’s set up, how it operates and how the links change and to where. Both links don’t really offer much, however their URLs might.

/?articles.html
/?about-us.html

No login page link, so I went out into the ether in search of an answer. I found this post on the WolfCMS forums. Company forums are a haven for excellent information. You can find out a lot about an application from a company forum. Even a fan forum can provide.

https://www.wolfcms.org/forum/topic2034.html

From that we find an admin page link and a few other tasty treats on the forum about a ‘config.php’ page in ‘/var/www/wolfcms’ that could be of use later.

We got to http://192.168.187.136/?admin

loginPageWolfCMS

I searched a few forum posts to see if I could find a default admin login. There’s always a default login for these things. I tried a few things, however, admin:admin was the correct credentials. We get in.

loggedInCMS

On login I received a quick pop-up telling me that Wolf CMS was out of date. Starting to see a theme here. My natural curiosity spots the version number ‘0.8.2’ and flies off to the interwebs for any vulnerabilities. I came across this.

Wolf CMS 0.8.2 – Arbitrary File Upload Exploit

A snippet from the site reads.

This exploit a file upload vulnerability found in Wolf CMS 0.8.2, and possibly prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file into the application with authenticated user, which results in arbitrary remote code

I’m instantly thinking PHP Reverse Shell. Only because I’ve been able to use it so much recently. Why shouldn’t it work here? I navigate to the ‘Files’ tab of the CMS.

PHPupload

As you can see I’ve already got my shell ready to go. No need for Burp or Tamper Data here. we can just upload to the server. Logged in as admin helps with that.

Listen

From this point you’d be opening terminal and a netcat listener

nc -lnvp 1234

We uploaded our shell script to the /Public/ folder so visiting the link below should be enough.

http://192.168.187.136/public/shell.php

Once we hit that, you’ll notice instantly that we have shell on the server. If only everything was as easy as this.

GotShellCMS

A quick python one liner to get us into a familiar bash shell.

python -c ‘import pty;pty.spawn(“bin/bash”)’

So what now?

As with anything, getting shell if you have that type of vulnerability is the easy part. The next part can vary depending on what the server set up is and the type of OS it is.

Again we’re logged in as ‘www-data’ and from earlier VM’s this has been a very limited account. I mentioned earlier that from the forums I obtained some information about a config.php file. To my surprise I was able to navigate to ‘/var/www/wolfcms’ and read the config.php file. In there I found this.

DBUserCMS

We have a root DB user with a password. Excellent. From the forum set up guides no one should be able to do this. One of the first things they get you to do is limit the www-data account. Not here obviously. Don’t always assume you have limited access.

I also found a user called ‘sickos’ with the ID of 1000. Probably a user account created after the server was made. I noted this down for later.

Stuck

I tried various different methods of looking for things that would work here. I was maybe over complicating it. I tried loads of stuff.

  • Previous Priv Esc exploits.
  • Went rooting around in the DB with the credentials I found.Learned a lot about MySQL from that though.

I took a break and chatted with some others in Slack. They were asking how I got on and I explained where I was at. One guy pipes up “Oh yeah just switch user to root on that one” What? you’re kidding…

Off I went to educate myself on this. Surely it can’t be that easy?

switchUserPNG

Yes it was.

gotRoot

So we

  • Switched user to sickos
  • The sudo SU and got a root interactive terminal

I guess my limited time as a Linux user let that one slip. Being a Windows Admin and solely using Windows has me at a disadvantage when it comes to enumerating users, groups and permissions on Linux. Noted for the future.

What did I learn?

I think it would be silly to do these and not take anything away from them. I’d certainly say that it’s not always the most complicated of things that get you root. Look deeper and take note of everything you find, and learn why it is the way it is. I breezed by the sickos account. Probably shouldn’t, however, we learn.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s