Kioptrix level 2 contains several vulnerabilities including a OS command injection, privilege escalation and SQL Injection vulnerabilities.
Kioptrix level 2 vulnhub link below:
Kioptrix Level 2 download page
The first plan is starting with a port scan to see what services are running.
The port scan results show SSH, HTTP, rpcbind, SLL, ipp and mysql running. The next is to perform
enumeration on these ports.
SSH is running the same versions as level 1 which are not vulnerable and searchsploit came back with nothing on the SSH versions.
The HTTP server is running apache 2.0.52 which is vulnerable to a GET Denial of Service exploit. However, this will not help get a reverse shell. Dirb and Nikto does not reveal any useful information.
1.3 ipp CUPS 1.1 - Port 631
CUPS 1.1 has a remote command execution exploit, however i could not get this exploit to work.
2.1 Exploitation of web server
The webpage contains a login promopt which could potentially be connected to the SQL database since mysql is running on port 3306. SQL Injection could be tried here.
An assumption is made that that the login query is using
SELECT * FROM users WHERE username='random' AND password='password'
or something similar. To test for SQL Injection a random username was entered, and in the password field the following
1' or '1' = '1'# was used. The query checks if the password is equal to ‘1’ or 1=1. When clicking ‘Login’, the SQL Injection is
executed and login is successful.
A admin web console appears with a ‘ping a network’ input field. This looks similar to DVWA’s command
execution part. An attempt is made to use a ; after the IP address to try and execute
the id command.
This works! The id is returned as uid=48(apache) gid=48(apache) groups=48(apache). Since i do not have
root access, privilege escalation has to be done to try and get root.
3.1 Post exploitation
After looking through the file system serveral useful information has been found.
-> passwd file is viewable
cat /etc/passwd which contains a list of all the users on the system.
-> PHP file in www/html contains the SQL login username / password.
-> The Kernel version is retrieved using
uname -r which is running 2.6.9-55.EL and the system is running CentOS.
Searchsploit is used to find kernel exploits of 2.6.9, a local exploit is found:
LINK: ExploitDB - Linux Kernel 2.4.x/2.6 Local Privilege Escalation
Even though an exploit has been found, the exploit needs to be downloaded on the system. After looking around, i found that the /tmp directory has write permissions for everyone. Using wget, the exploit is downloaded from an external HTTP server that i setup. The exploit is then compiled using gcc exploit.c -o exploit which allows the exploit to be executed. When exploit is executed, the privileges are escalated and i have root access (shown below).