Open in app

Sign in

Write

Sign in

SICKOS:1.2 Vulnhub Walkthrough

Russell Murad
4 min readJan 11, 2021

Hello Guys! This is Russell Murad working as a Junior Security Engineer at Enterprise Infosec Consultants (EIC).

In the previous post, we’ve solved a vulnhub machine called “SickOS:1.1”.

Today, we’ll see how to solve “SickOS:1.2” easily.

So, let’s get started!

I’ve configured both Vulnhub machine and my kali machine on the Virtualbox bridge connection.

  1. First, we are going to check our victim machine’s IP using arp-scan.

2. Then we need to find some open ports using nmap.

3. Here we’ve found two-port — 22 for SSH and 88 for HTTP. There is also a directory named “/test/” which we will use for future enumeration.

Let’s browse the site now.

4. It’s simply a troll page! Nothing important here. So, for more info, let’s check the source.

It says, “NOTHING IS HERE”.

5. Now, in this situation, we can run Nikto for server vulnerability discovery. But then again, nothing useful will found. After that, we’ll go for Directory Bruteforce using goBuster.

6. The “/~sys~” directory has a 403 forbidden error. But another directory called “test” will be like this.

7. It’s time to check the webpage with curl.

8. We can see there is a PUT method that we can use to leverage shell uploading. We’ll use Pentest Monkey’s reverse shell here…

9. We’ll fire a Netcat listener and click the shell file from the browser.

10. If you check the System && Kernel version, We’ll see that it’s Ubuntu 12.04.4 LTS. Most of this version has the vulnerability called “Dirty Cow”.

11. Let’s check it’s exploit file in dirty cow CVE’s official site.

12. We’ll download this exploit into our kali machine and by making a python SimpleHTTPServer we’ll transfer this into our target machine.

13. We’ll compile the exploit with GCC and run the executable file. By using this exploit we can modify and change the password.

14. Now, we’ll log in to our SSH with the new password we’ve created.

For the sake of making our exploit stable we need to run the following command, “echo 0 > /proc/sys/vm/dirty_writeback_centisecs”

Otherwise, the victim system will get freeze and reboot.

There’s an issue closed in Github about this problem.

15. Now we can see we have the root privilege and the flag file.

This box was a little bit confusing while enumerating. But overall it was worth trying.

So, guys, that’s it for today.
Thank you for reading this write-up. Cheers!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Russell Murad
Russell Murad

Written by Russell Murad

27 Followers
523 Following

No responses yet

Write a response

What are your thoughts?

More from Russell Murad

See all from Russell Murad

Recommended from Medium

Lists

Staff picks

826 stories1649 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2818 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams