Monday, June 4, 2018

Kioptrix - Level 1.1 (#2)


KIOPTRIX- Level 1.1 (#2)

- Layout for this exercise:





1 - INTRODUCTION

 - The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.1 (#2)

 - Kioptrix Level 1.1 (#2) can be downloaded from here:

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/






- Once downloaded, extracted and opened with WMware:





2 - ENUMERATION

- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.22, so it should correspond to the vulnerable machine Kioptrix:







- Scanning for versions and the operating system with Nmap:






3 - EXPLOITATION

- Connecting from the browser's attacker the web server answers with a login page, where we can try an SQL injection:




- The injection is successful, leading to a ping application:




- Pinging to the attacker's IP:







- Trying a Command Injection, it is also successful:







- Setting a listener session with netcat at the attacker's side:






- Following the directions on this link a bash script can be submitted as a Command Injection:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
















- The reverse shell is eventually achieved at the attacker's local machine:



- However, let's notice that we have a shell just for the user apache, not with root privileges, so we need to start a privilege escalation process to get a root shell.


4 - PRIVILEGE ESCALATION

- From the previous scanning whe know that the running operating system is Linux with kernel 2.6:




- Googling for Kernel 2.6 vulnerability for privilege escalation:





- There are some exploits useful for that purpose, for instance this one:





- Using searchsploit to locate the exploit:








- Copying the exploit 9542.c to a testing folder:








- Now, setting a simple server on port 8080:




- Remembering that the shell was working at the /var/www/html directory, what usually does not have the needed pemissions to be written:




- However, the directory /tmp does usually have permission to be written, so it is better to use /tmp as a destination for downloading the exploit 9542.c from the attacker's side to the victim's side, where the exploit will be run:


















- Now, we've got the exploit at the victim's machine:




- Another option would be to download the exploit to /tmp from the original website, using the option --no-check-certificate to avoid checking the server certificate against the available certificate authorities:





- Compiling the exploit:






- Running the exploit the root privileges are achieved immediately:




5 - POSTEXPLOITATION

- With the root privileges we have access to the whole filesystem, for instance the passwords file, what could be potentially decrypted:




- Also, checking the index.php we find the code that explains the SQL injection vulnerability, due to the lack of proper sanitization:






- Also, hardcoded credentials for a user:




- These credentials allow us to enter the MYSQL database:




- There are 3 databases:




- Going with the first one:




- There is a number of tables:




- Trying to get information from the table user we discover some credentials for root and john:








- In the same way:




- Going to the other database:





- Showing the tables:




- Selecting the table users:




- Another interesting source of information is the hidden file .mysql_history because sensitive information such as the text of SQL statements containing passwords might be written to it:





- Opening .mysql_history interesting credentials are found for users like john or admin: