We will be looking at how I can solve the Sick_OS 1.1 machine. In this machine we have to find the root flag. You can download the machine from this link SickOs: 1.1 ~ VulnHub
Tools used:
Arp-scan
Nmap
Dirb
Nikto
Netcat
Let’s Crack the Machine
Scanning:
Scanning the network and identifying the host IP address.
arp-scan -l
We found the host IP address 192.168.0.108 by using arp-scan.
Now we are using nmap for port enumeration.
nmap -A -p- 192.168.0.108
Here we have 3 ports open:
ssh at port 22
Http-proxy at 3128
Closed http-proxy at 8080
To access the IP on the web we have to set our proxy as “192.168.0.108:3128” only then we can access the web page.
Now we will use nikto on the web page with a proxy.
nikto http://192.168.0.108/ -p 192.168.0.108:3128
Here we found the /robots.txt file and much more information but for now we are going to check robots.txt file.
From robots.txt we found the directory “/wolfcms”
Now we check all possible link in the web page. After that we found a link “http://192.168.0.108/wolfcms/?” where we can fuzz for more web pages using dirb.
dirb http://192.168.0.108/wolfcms/? -p 192.168.0.108:3128
From fuzzing we found the admin page.
On the admin page we can use default credentials like “admin/admin”, after that we can see the
upload functionality which can be used for php-shell upload.
After that we have to find the directory where our shell is uploaded for that we again use dirb
dirb http://192.168.0.108/wolfcms/ -p 192.168.0.108:3128
Here we have the /public/ directory which contains our shell script, now we can use netcat and establish the reverse shell.
now we have to start natcat listener and click the shell code we have uploaded earlier.
nc -nvlp 1234
Now we can check for the config.php file which contains sickos user password that is “john@123”
After that we can switch to “sickos” user using password “john@123”
su sickos
And when you switch to sickos we can check for the access sickos user have.
Now as we have root access, change the current directory to root directory.
cd /root
And cat the flag file.