vulnhub: sickos 1.1 walkthrough

I just spotted a vm on Vulnhub that promised to be like OSCP. So i had to grab it: https://www.vulnhub.com/entry/sickos-11,132/

It was quite easy but still a lot of fun! As I managed to root it in roughly 45 minutes and the exploitation path is quite obvious im going with a minimalistic walkthrough.

Here we go:

1. Every good day starts with a nmap scan!

Given that im in a VM I just went in loud:Bildschirmfoto 2015-12-11 um 22.03.13

 

2. Im as hard as a jelly fish

One thing always to go for with an open proxy is to see if you can access a webserver that is only listening on the loopback interface:

Bildschirmfoto 2015-12-11 um 22.09.01

Bingo!

3. webserver problem? nikto will find it

So much vulns so wow:

Bildschirmfoto 2015-12-11 um 22.11.13

Definitely some shellshock here but I went another way:

4. dirbdirbdirbdirbdirbdirbdirbdirbdirb

Bildschirmfoto 2015-12-11 um 22.14.44

robots.txt ofcourse:

Bildschirmfoto 2015-12-11 um 22.16.30

5. the server who cried wolf

A small cms called “wolfcms”:

Bildschirmfoto 2015-12-11 um 22.17.53

I can already smell where this is going! But how to get to the admin login?
/admin, /login and other usual suspects do not work…. Lets ask google:

Bildschirmfoto 2015-12-11 um 22.20.14

Where is waldo….errrr admin? -> /?admin

Bildschirmfoto 2015-12-11 um 22.22.13

Can you guess it?

6. Never go full retard! But always go with admin:admin first!

At this point i figured this will be an easy one:

Bildschirmfoto 2015-12-11 um 22.24.19

A fileupload function, how nice! As I still had DAws lying around from my last vulnhub machine (D4rknet Writeup here) I just went with that:

Bildschirmfoto 2015-12-11 um 22.28.26

7. We’ve got shell \o/

Bildschirmfoto 2015-12-11 um 22.28.48Some basic postexploit reconnaissance:

Bildschirmfoto 2015-12-11 um 22.38.14

Equipped with the mysql root pw lets check for PW reuse!

8. This… was… too… easy… :)

Bildschirmfoto 2015-12-11 um 22.39.35

This was rather easy but still fun! A refreshing contrast to all those reverse engineering hardcore VMs which are dominating vulnhub lately!

Props to D4rk (@D4rk36) for this! Even an “easy” VM is still loads of work to prepare and I really appreciate that! Also he is spot on with this being a lot like OSCP. If you have done OSCP, hacking this VM feels kinda natural :)

Regards
Sebastian

Advertisements

About SebastianB

read it in my blog
This entry was posted in boot2root, miscellaneous, vulnhub. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s