Skip to content

Latest commit

 

History

History
120 lines (60 loc) · 4.92 KB

SickOsCtf.md

File metadata and controls

120 lines (60 loc) · 4.92 KB
Raw

Ctf Download; https://www.vulnhub.com/entry/sickos-12,144/

First of all, we find out which ip the machine has.

1

In the screenshot below, we see the ip address of the machine.

2

Then we run the following command using nmap.

3

Below we see the results.

412

When we look at the screenshot above, http server is running on port 80. What are we waiting for? Let's go.

5

Keanu Reeves welcomes us. he's a john wick. he is a neo. he is a 47 ronin.Anyway, this has nothing to do with our topic, let's continue :D

6

We'll save the image and examine it.

7

When we examine the image, we see that we cannot obtain any data.

now it's time to do directory exploration

8

We start searching directories with dirb.

9

As we saw above, we found 2 results. We will check with Nikto for vulnerability scanning.

10

11

Looking at the screenshot above, we couldn't find anything for the home directory. now we will scan the test directory.

12

Looking at the screenshot, the put method is allowed in the test directory. so it is possible to upload files here. We will try to upload a reverse shell.

i will use this.

https://github.com/pentestmonkey/php-reverse-shell

13

After downloading it, we have to enter our own ip address there. You can change the port as you want.

14

We upload the shell with curl.

15

we have successfully uploaded the shell, let's open a shell connection immediately.

16

Since I entered 4444 in the port variable in the shell, I have to open the connection with 4444.

17

When I visited http://192.168.56.102/test/reverse.php from the address bar, the shell connection was opened.

18

We need to be root.We detect kernel version and operating system version.

We find the appropriate exploit. https://www.exploit-db.com/exploits/37292

19

we upload the exploit.

20

we see the exploit failed

We review the crondaily.

21

When we look here, we see that lighthttpd and chkrootkit services are running on a scheduled basis. We're looking at the chkrootkit version.

22

We see that the version is 0.49

23

We found the appropriate exploit.

Finally, after running the code below, we become root.

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" /etc/sudoers && chmod 440 /etc/sudoers' /tmp/update

16