Monday, June 4, 2018
Kioptrix - Level 1.1 (#2)
KIOPTRIX- Level 1.1 (#2)
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.1 (#2)
- Kioptrix Level 1.1 (#2) can be downloaded from here:
https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
- Once downloaded, extracted and opened with WMware:
2 - ENUMERATION
- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.22, so it should correspond to the vulnerable machine Kioptrix:
- Scanning for versions and the operating system with Nmap:
3 - EXPLOITATION
- Connecting from the browser's attacker the web server answers with a login page, where we can try an SQL injection:
- The injection is successful, leading to a ping application:
- Pinging to the attacker's IP:
- Trying a Command Injection, it is also successful:
- Setting a listener session with netcat at the attacker's side:
- Following the directions on this link a bash script can be submitted as a Command Injection:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- The reverse shell is eventually achieved at the attacker's local machine:
- However, let's notice that we have a shell just for the user apache, not with root privileges, so we need to start a privilege escalation process to get a root shell.
4 - PRIVILEGE ESCALATION
- From the previous scanning whe know that the running operating system is Linux with kernel 2.6:
- Googling for Kernel 2.6 vulnerability for privilege escalation:
- There are some exploits useful for that purpose, for instance this one:
- Using searchsploit to locate the exploit:
- Copying the exploit 9542.c to a testing folder:
- Now, setting a simple server on port 8080:
- Remembering that the shell was working at the /var/www/html directory, what usually does not have the needed pemissions to be written:
- However, the directory /tmp does usually have permission to be written, so it is better to use /tmp as a destination for downloading the exploit 9542.c from the attacker's side to the victim's side, where the exploit will be run:
- Now, we've got the exploit at the victim's machine:
- Another option would be to download the exploit to /tmp from the original website, using the option --no-check-certificate to avoid checking the server certificate against the available certificate authorities:
- Compiling the exploit:
- Running the exploit the root privileges are achieved immediately:
5 - POSTEXPLOITATION
- With the root privileges we have access to the whole filesystem, for instance the passwords file, what could be potentially decrypted:
- Also, checking the index.php we find the code that explains the SQL injection vulnerability, due to the lack of proper sanitization:
- Also, hardcoded credentials for a user:
- These credentials allow us to enter the MYSQL database:
- There are 3 databases:
- Going with the first one:
- There is a number of tables:
- Trying to get information from the table user we discover some credentials for root and john:
- In the same way:
- Going to the other database:
- Showing the tables:
- Selecting the table users:
- Another interesting source of information is the hidden file .mysql_history because sensitive information such as the text of SQL statements containing passwords might be written to it:
- Opening .mysql_history interesting credentials are found for users like john or admin: