SickOS: 1.1 Vulnhub Walkthrough

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Hello Everyone, In this blog i am posting the walkthrough of Sickos 1.1 . This machine is best for beginners who want to learn penetration testing.

You can Download the machine here.

So, let’s start !!

Let’s, do ARP scan to find the target IP.

arp-scan -l

So, our target IP is 192.168.43.200

Ok, now all you have to do is scan the Target IP.

nmap -sC -sV -Pn 192.168.43.200

Scan result says, There are two ports open 22, 3128.

22- ssh

3128 – http (Website)

So, basically HTTP runs on port 80 and 443. I checked if there is anything running on those ports but it didn’t give me any result.

Let’s check the website which is running on port 3128.

For opening the website running on port 3128 you need to set the proxy in your browser.

So, we have set the proxy. Now lets try opening in the browser.

OK, there is nothing much here.

I thought of doing nikto scan to check if any vulnerability exists.

nikto -h 192.168.43.200 –useproxy http://192.168.43.200:3128

So, after doing nikto i found that /cgi-bin/status is vulnerable to Shellshock vulnerability.

Shellshock Vulnerability – Shellshock is a security bug causing Bash to execute commands. (Remote Code Execution)

Now, i checked for /robots.txt

So, There is one directory /wolfcms let’s check.

So, I googled about wolfcms for to check if there is /admin URL path and I got one.

/wolfcms/?/admin Let’s check,

here, i got the login page.

I tried few default usernames and passwords. Finally found it,

username – admin

password – admin

I got logged in.

Now, we should find place to upload a reverse shell file.

So, i went to files and there i found to upload option .

here, we can upload our php Reverse shell.

So, i uploaded my php reverse shell.

Now, we have to execute this file to get reverse connection.

After trying a lot i have noticed that, the files are getting saved in /public dir.

let’s check,

we got it, before opening the file we should start our nc listner.

nc -nlvp 4444

After starting the listner on your kali terminal, Go back to browser and open reverseshell.php file.

Yes, We got the limited shell.

To get full Interactive shell type ,

python -c “import pty;pty.spawn(‘/bin/bash’)”

Now, let’ go to /wolfcms dir and type ls to list the files.

cd /var/www/wolfcms

ls

when i looked into config.php file ,

I found MYSQL username and password.

As ssh service is also running, let’ try to login there,

I tried to login “root” as the username but i didn’t get access.

After trying lot i thought of keeping “sickos” as the username and the password that we found in the config.php file.

ssh sickos@192.168.43.200

we got logged in.

Now, i tried to move into the root dir.

cd /root

But it denied me.

Now, I used sudo su command

sudo susudo is used for running the command as root privilege whereas su is used for switching the user.

It asked for the password, I entered the password i got in config.php file

Here, it is i got ROOT access !!!

Writer: Anudeep is a Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top