Kioptrix 1.1 (Level 2) Walkthrough

Introduction

Today we're going to do a boot2root pentest walkthrough of Kioptrix 1.1 (Level 2).  We will be utilizing two virtual machines for this pentest: a Kali Linux VM which we will be using as the attacking machine, and the target machine, Kioptrix 1.1 (Level 2), created by Kioptrix, and hosted at https://www.vulnhub.com/entry/kioptrix-level-11-2,23/ .

Discovering the Target

The first thing we do after booting up both VMs is attempt to locate the target machine from the Kali machine with netdiscover.

It looks like the machine at 10.0.2.13 is the one we're looking for.

Scanning and Enumeration

Next, we do a quick scan with Nmap to discover open ports on the target machine.

We'l also do a quick UDP scan.

From here, we can run a more in-depth Nmap scan on the ports we have identified as open.

     We'll also run a Nikto scan against the target's web server, but it doesn't seem to reveal much. The next scan we perform is with Nessus:

The results direct us towards both the unsupported OS version and PHP as strong candidates for attack. The OS on the target system appears to be Linux CentOS 4.5.

Finding a Way In

Searching online for “CentOS 4.5 Exploit” brings us to an exploit info page on exploit-db.com:

This exploit appears to be a privilege escalation exploit that matches the target system's OS version, but it's a Local exploit, which means we will need to upload the exploit file to our target after we've established a remote shell through some other means.

At this point, we take a look at the target machine's webpage:

This is all that's on the target's homepage, but since we know from our scans that this system is running MySQL, we can attempt SQL injection to force a login.

     Using the above SQL injection, we are able to login and are brought to the following page:

     This page appears to have a function where we can ping a machine on the target's network, so we try it out with localhost as the parameter.

The result of this input brings us to a new page called pingit.php, and the syntax of the returned information seems identical to what you would see if you used the ping command from the Linux command line, which makes us curious as to whether the input from the previous page was being fed to the target's command line as a variable for the ping command. We test this idea by going back to the previous page and type localhost ; ls into the field, which yields the following on the next page:

So it looks like after the ping command was resolved, the web app's current directory file contents were listed out by the ls command. Those files appear to be the two PHP pages we've been browsing.

If we can inject commands to the target system through the web app, we can potentially gain a reverse shell on the target by setting up a netcat listener on our attacking machine, then running a reverse shell one-liner command through the web app.

First, we have to set up the netcat listener on our attacking machine:

Then we send the bash one-liner through the web app.

The one-liner command we used was obtained from this useful website:

    pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

After clicking the submit button, our reverse shell is established.

Privilege Escalation

Now that we have local access to the target system, we can use the CentOS 4.5 privilege escalation exploit to gain root access. The first step in this process is to upload the exploit to the target, so we download the exploit code to our attacking system, then use the Python SimpleHTTPServer on our attacking system to give the target machine a place to download from:

Then, from our reverse shell on the target system, we navigate to the /tmp/ directory, where we have write permissions, then use wget to download our exploit code from our attacking machine:

From here, we can compile the exploit file using gcc.

Then execute the file:

Success! The exploit worked, and we have be elevated to root status.

Summary

After doing our initial scans, we discovered that there were two issues that were listed as highly vulnerable: the outdated OS version, and the outdated PHP version. Searching for an exploit based on the OS version gave us a match, but the exploit was a local type, so we needed to get a shell on the target before we could use it. Then we looked at the web server on the target and discovered that the web page login was vulnerable to SQL injection to login. Once logged in, we tested the web app and discovered that it was vulnerable to command injection, which we used to establish a reverse shell. Finally, having local access, we uploaded the exploit file to the target and used the exploit to gain root access.

Finish












Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more