Friday, 3 June 2016

SickOS v1 challenge

Looking for target I found (VMWare).
Enumeration services:

OK, now we know which services we are able to attack. We can see that our target has http proxy server on 3128 and 8080 ports. Let's configure proxy server on our web browser. After that let's browse http://192,168.1.102

There is nothing. Let's run dirb through the proxy

The robots file is almost always interesting,so let's examine the file.

Ok, let's try browse /wolfcms. We can see screen as below

Excellent! I have run /wolfcms/?admin URL and I have checked admin:admin credentials, and BINGo!

Very good! Now we should look for some places to upload our reverse shell. I have found also CVE 2015-6567 toward my idea. I have been following the instruction from CVE 2015-6567 and I have created our reverse shell php file and named test.php.

Excellent! We have got limited shell.
I have found that in /var/www directory is located file, with root:root privileges. We can escalate our privileges using this file, because the file is execute periodically. I was searching also other way to escalate our privileges and I found in /var/www/wolfcms/config.php

We know from /home directory that exist sickos user. Let's try log in as a sickos with known password.


Game over