SickOs 1.2

This is my writeup for the SickOS 1.2.

Step 1 – Find out SickOs IP

Since all devices are on my home Wifi network, I run a quick netdiscover scan. The SickOs machine is at

Step 2 – Enumerate the IP to find out open ports, service version, OS etc..

This provides the following attack surface:

  • Port 22 – OpenSSH 5.9p1 Debian 5ubuntu1.8
  • Port 80 – lighttpd 1.4.28
  • OS – Linux

Step 3 – Enumerating web ports

I ran nikto scans, dirb using bigger wordlists, source code reviews but was getting nowhere. Dirb did indicate another sub-directory test but there’s pretty much nothing there. I revisited my nmap scan outputs incase I might have missed something. I also checked to see if lighttpd 1.4.28 had any known vulnerabilities. I finally decided to look at the image a little more closer but I wasn’t getting anywhere. At this point, I decided to check if I could upload anything to the server (PUT method). I couldn’t upload anything in the root directory, but upload to the test directory was successful.

At this point, I decided to upload a msfvenom generated reverse php shell

Reverse shell obtained

Reviewing the cron directories, noted the presence of chkrootkit

This specific version is vulnerable against a privilege escalation exploit. Created a setuid binary that spwans a shell and whose owner and group membership will be changed to root using the update executable.

After about a minute or so, root access !!!

Leave a Reply

Your email address will not be published. Required fields are marked *