This is my writeup for the SickOS 1.2.
Step 1 – Find out SickOs IP
Since all devices are on my home Wifi network, I run a quick netdiscover scan. The SickOs machine is at 192.168.1.14
Step 2 – Enumerate the IP to find out open ports, service version, OS etc..
This provides the following attack surface:
- Port 22 – OpenSSH 5.9p1 Debian 5ubuntu1.8
- Port 80 – lighttpd 1.4.28
- OS – Linux
Step 3 – Enumerating web ports
I ran nikto scans, dirb using bigger wordlists, source code reviews but was getting nowhere. Dirb did indicate another sub-directory test but there’s pretty much nothing there. I revisited my nmap scan outputs incase I might have missed something. I also checked to see if lighttpd 1.4.28 had any known vulnerabilities. I finally decided to look at the image a little more closer but I wasn’t getting anywhere. At this point, I decided to check if I could upload anything to the server (PUT method). I couldn’t upload anything in the root directory, but upload to the test directory was successful.
At this point, I decided to upload a msfvenom generated reverse php shell
Reverse shell obtained
Reviewing the cron directories, noted the presence of chkrootkit
This specific version is vulnerable against a privilege escalation exploit. Created a setuid binary that spwans a shell and whose owner and group membership will be changed to root using the update executable.
After about a minute or so, root access !!!