It’s been a while since I’ve posted here. Summer’s are always busy but I’ve tried to find time to further my continuing education of information security. I’ve started working a bit with PenTester Lab Pro in an attempt to improve my web vulnerability exploitation, as well as some boxes on Vulnhub

The following is my walkthrough for the SickOS 1.1 machine.

1. I started off with a simply tcp nmap scan of the system and find 3 common ports available and serving.

2. I attempted to see if I could access what was listening on port 8080 by attempting to browse to http://172.16.27.187:8080 in a web browser and was unable to connect.

3. Noting that TCP port 3128 is normally utilized for a squid proxy, I configured my browser to utilize that proxy server to server websites to see if I could access what was on port 8080.

screen-shot-2016-09-14-at-7-09-09-pm

3. Attempts to access a webpage via TCP port 8080 were unsuccessful, however it appeared as though I could now access something via the standard HTTP port 80.

screen-shot-2016-09-14-at-7-12-19-pm

4. With it now known that I could access the web application via the proxy, I needed to scan the host with nikto to see if I could find anything I could work with. To do this I edited the /etc/nikto.conf and added the following.

5. The following command was used to run nikto ensuring the proxy was utilized.

Through this scan a robots.txt file was discovered in the root directory. The following were it’s contents.

6. It looks as though the administrator doesn’t want us to see the /wolfcms folder (although the spelling mistakes would render that line useless). With that said I decided to focus my attention to that folder to find it serving a CMS called Wolf CMS. A quick search on exploit-db.com shows that it’s had a few vulnerabilities over the years.

7. I ran dirb (while ensuring to utilize the proxy) to check for any folders of interest.

During this scan a directory known as “Public” was discovered which had a directory listing.

I made note of this and moved on.

8. A quick Google search shows the admin panel should be accessible at /?admin if mod_rewrite is not enabled and simply /admin if mod_rewrite is enabled. /admin does not work, however /?admin does and I’m presented with a login page.

9. It doesn’t appear as though Wolf CMS has a default username / password but we get lucky with the tried and true admin / admin console and are granted access to the back end.

10. Upon logging in I see that the Wolf CMS version is 0.8.2, which is known to have an arbitrary file upload vulnerability. I plucked a PHP reverse shell from pentestmonkey.net, configured the settings on it, navigated to Files and uploaded the file. During the upload I noticed it appeared to upload to a /public directory.

screen-shot-2016-09-14-at-7-52-00-pm

11. Navigating to the phone-home.php file via the CMS would simply show the PHP code. I set up a reverse shell listener on TCP port 443 and then navigated to /wolfcms/public/phone-home.php and limited shell was returned.

12. Through some poking around it looked as though there was a cron job that ran regularly with root privileges located in /var/www/, a directory that should be browsable by the limited user we’r using (www-data). The file executed was called connect.py.

13. From there all that was left to do was replace that connect.py with code of my own, spin up a shell and then sit and wait. The following code was used from TrustedSec.

14. All that was left to do was spin up a listener on port 9998 and wait for the connection to come in.

Thanks for reading!