Kioptrix Level 2 challenge was quite hard compared to the Kioptrix Level 1. we have to have the understanding the web application and should try different ways to finding vulnerability.
Requirements:
Vmware
Kioptrix level 2 challenge
Kali [strictly depends on your choice]
So lets dive in:
-> Nmap 192.168.0.1/24
So my Kioptrix machine has the IP address 192.168.0.108.Lets scan the open ports and find the services running on those.
-> nmap -sV 192.168.0.108
-> nmap -sV -A 192.168.0.108
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-14 10:01 EDT
|_ssl-date: 2017-03-14T10:40:22+00:00; -3h22m16s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:95:15:33 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 – 2.6.30
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.0.108
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.85 seconds
So the very first thing I taught of after trying all this is to find any exploitable version. CUP 1.1 have PUT method allowed and I tried to poke around it…I got nothing. The next thing I did is see the website running on port 80.Looks like that:
As you can see in the screenshot I tried SQL Injection on the username and password. In my case ‘–‘ these comment doesnot work with the username but ‘#’ works and also SQL injection:
-> ‘or’a’=’a
works like a charm.
username: ‘or’a’=’a
password: ‘or’a’=’a
or
username: admin’ #
password: *blank*
-> Try pinging some IP and see the response. Here PHP Code Injection could occur. We can directly inject the OS commands in a stacked manner and see the output. && , ; can help us stack commands, | is called pipe and is used when we need to feed the output of one command to the input of the other but for now it is not required.
-> We can try out commands such as
whoami
uname
hostname
cat /etc/passwd
lsb_release
uname -r
-> for now lets try to open an interactive bash and connect it to our machine for better view. Write the following command on the ping input box and before doing that open a listener on your machine on any port [in my case its 4444]
192.168.0.106 is my kali machine and a netcat is listening on that machine
Once you submit this, the page that opens up stays busy and we will be notify by netcat that we got the bash
Now this command shell is no different from the one we have been using on the web but it got a better view. If you write the command whoami, you will get a response apache that simply means that we are not root and we had the limitations of a apache user. So to get over this we need to find a vulnerability in the system internally or through any port to get our privilege escalated. So after looking around a bit, I checked the kernel version
A little search on kernel 2.6.9 will give you exploit:
Lets download this exploit but we are not allowed to write any directory other then tmp. So lets download the exploit at /tmp/ directory and run it from there.