Friday 3 June 2016

SickOS v1 challenge

Hi,
Looking for target I found 192.168.1.101 (VMWare).
Enumeration services:






OK, now we know which services we are able to attack. We can see that our target has http proxy server on 3128 and 8080 ports. Let's configure proxy server on our web browser. After that let's browse http://192,168.1.102









There is nothing. Let's run dirb through the proxy












The robots file is almost always interesting,so let's examine the file.









Ok, let's try browse /wolfcms. We can see screen as below

















Excellent! I have run /wolfcms/?admin URL and I have checked admin:admin credentials, and BINGo!













Very good! Now we should look for some places to upload our reverse shell. I have found also CVE 2015-6567 toward my idea. I have been following the instruction from CVE 2015-6567 and I have created our reverse shell php file and named test.php.

Excellent! We have got limited shell.
I have found that in /var/www directory is located connect.py file, with root:root privileges. We can escalate our privileges using this file, because the file is execute periodically. I was searching also other way to escalate our privileges and I found in /var/www/wolfcms/config.php
















We know from /home directory that exist sickos user. Let's try log in as a sickos with known password.




















and













Game over