Hello Everyone, In this blog i am posting the walkthrough of Sickos 1.1 . This machine is best for beginners who want to learn penetration testing.
You can Download the machine here.
So, let’s start !!
Let’s, do ARP scan to find the target IP.
arp-scan -l
So, our target IP is 192.168.43.200
Ok, now all you have to do is scan the Target IP.
nmap -sC -sV -Pn 192.168.43.200
Scan result says, There are two ports open 22, 3128.
22- ssh
3128 – http (Website)
So, basically HTTP runs on port 80 and 443. I checked if there is anything running on those ports but it didn’t give me any result.
Let’s check the website which is running on port 3128.
For opening the website running on port 3128 you need to set the proxy in your browser.
So, we have set the proxy. Now lets try opening in the browser.
OK, there is nothing much here.
I thought of doing nikto scan to check if any vulnerability exists.
nikto -h 192.168.43.200 –useproxy http://192.168.43.200:3128
So, after doing nikto i found that /cgi-bin/status is vulnerable to Shellshock vulnerability.
Shellshock Vulnerability – Shellshock is a security bug causing Bash to execute commands. (Remote Code Execution)
Now, i checked for /robots.txt
So, There is one directory /wolfcms let’s check.
So, I googled about wolfcms for to check if there is /admin URL path and I got one.
/wolfcms/?/admin Let’s check,
here, i got the login page.
I tried few default usernames and passwords. Finally found it,
username – admin
password – admin
I got logged in.
Now, we should find place to upload a reverse shell file.
So, i went to files and there i found to upload option .
here, we can upload our php Reverse shell.
So, i uploaded my php reverse shell.
Now, we have to execute this file to get reverse connection.
After trying a lot i have noticed that, the files are getting saved in /public dir.
let’s check,
we got it, before opening the file we should start our nc listner.
nc -nlvp 4444
After starting the listner on your kali terminal, Go back to browser and open reverseshell.php file.
Yes, We got the limited shell.
To get full Interactive shell type ,
python -c “import pty;pty.spawn(‘/bin/bash’)”
Now, let’ go to /wolfcms dir and type ls to list the files.
cd /var/www/wolfcms
ls
when i looked into config.php file ,
I found MYSQL username and password.
As ssh service is also running, let’ try to login there,
I tried to login “root” as the username but i didn’t get access.
After trying lot i thought of keeping “sickos” as the username and the password that we found in the config.php file.
ssh sickos@192.168.43.200
we got logged in.
Now, i tried to move into the root dir.
cd /root
But it denied me.
Now, I used sudo su command
sudo su – sudo is used for running the command as root privilege whereas su is used for switching the user.
It asked for the password, I entered the password i got in config.php file
Here, it is i got ROOT access !!!
Writer: Anudeep is a Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.