top of page

Sick_OS 1.1 [vulnhub]→ walkthrough

  • Writer: Abhishek Saini
    Abhishek Saini
  • Aug 12, 2022
  • 2 min read

We will be looking at how I can solve the Sick_OS 1.1 machine. In this machine we have to find the root flag. You can download the machine from this link SickOs: 1.1 ~ VulnHub

Tools used:

  • Arp-scan

  • Nmap

  • Dirb

  • Nikto

  • Netcat


Let’s Crack the Machine


Scanning:

  • Scanning the network and identifying the host IP address.

arp-scan -l
ree

We found the host IP address 192.168.0.108 by using arp-scan.

Now we are using nmap for port enumeration.

nmap -A -p- 192.168.0.108
ree

Here we have 3 ports open:

  1. ssh at port 22

  2. Http-proxy at 3128

  3. Closed http-proxy at 8080


To access the IP on the web we have to set our proxy as “192.168.0.108:3128” only then we can access the web page.


ree

Now we will use nikto on the web page with a proxy.

nikto http://192.168.0.108/ -p 192.168.0.108:3128
ree

Here we found the /robots.txt file and much more information but for now we are going to check robots.txt file.

From robots.txt we found the directory “/wolfcms


ree

Now we check all possible link in the web page. After that we found a link “http://192.168.0.108/wolfcms/?” where we can fuzz for more web pages using dirb.

dirb http://192.168.0.108/wolfcms/? -p 192.168.0.108:3128
ree

From fuzzing we found the admin page.


ree

On the admin page we can use default credentials like “admin/admin”, after that we can see the

upload functionality which can be used for php-shell upload.


ree

After that we have to find the directory where our shell is uploaded for that we again use dirb 

dirb http://192.168.0.108/wolfcms/ -p 192.168.0.108:3128
ree

Here we have the /public/ directory which contains our shell script, now we can use netcat and establish the reverse shell.


ree

now we have to start natcat listener and click the shell code we have uploaded earlier.

nc -nvlp 1234
ree

Now we can check for the config.php file which contains sickos user password that is “john@123


After that we can switch to “sickos” user using password “john@123

su sickos

And when you switch to sickos we can check for the access sickos user have.

ree

Now as we have root access, change the current directory to root directory.

cd /root

And cat the flag file.

ree

Recent Posts

See All

Comentários

bottom of page